...
The metadata signing key is a secure offline key. It is stored on the hard drive of an offline laptop, which is kept in a safe in a secure facility (#1) with strict physical access controls.
...
A software process that aggregates and signs metadata is run daily according to precise hours of operation. This signing process runs on the offline laptop. The Technical Authority Officer initiates the software process in the presence of the Key Authority Officer.
Unsigned metadata is stored in a digital repository on a secure server with limited physical and network access. The server is locked in a cage in a secure facility (#2) with strict physical access controls. The server is protected by a firewall that limits network access to the InCommon Federation Manager.
In the same way that a bank deposit box requires two distinct physical keys, the metadata signing process requires two human actors, a Key Authority Officer and a Technical Authority Officer. Only the Key Authority Officer can access the safe while only the Technical Authority Officer can run the software process. Both are needed to complete the metadata signing process. Each limits the actions of the other.