Page History

The InCommon metadata signing process involves the following components and actors:

1. The metadata signing key
2. A Key Authority OfficerA Technical Authority Officerhardware security module (HSM)
3. The metadata repository
4. A set of signing scripts and utilities

The metadata signing key is the private key used to sign InCommon metadata. The public key that corresponds to the private metadata signing key is bound to the metadata signing certificate, which is stored on a secure web server (ops.incommon.org). This key pair together form the basis of the trust fabric of the InCommon Federationfor technical (as opposed to business process) trust in the federation.

The metadata signing key is a secure offline key. It is stored on the hard drive of an offline laptop, which is kept in a safe in a secure facility (#1) with strict physical access controls.Access to the safe itself requires both a key and a pin. A Key Authority Officer provides the key while a Technical Authority Officer knows the pin. A single individual can not be both a Key Authority Officer and a Technical Authority Officer, that is, no one person knows both the location of the key and the pin. Thus two people with strict separation of duties are required to access the laptop in the safestored within a special device known as a hardware security module (HSM). This device has physical and logical security controls such that the key may not be accessed, modified, removed, or exported without the agreement of multiple InCommon staff members. InCommon has a documented process that governs the activities of these individuals with regard to sensitive HSM operations, and this document is signed by those staff. If the hardware is tampered with, the key is physically destroyed by the device's tamper detection systems.

Unsigned metadata is stored in a digital repository on a secure server with limited physical and network access. The server is locked in a cage in a secure facility (#2) with strict physical access controls and video surveillance. The server is protected by a firewall that restricts network access to the InCommon Federation Manager and the eduGAIN metadata server.

A software process that orchestrates metadata import and signing is run daily according to precise hours of operation. This software process runs on the offline laptop. The Technical Authority Officer initiates the software process in the presence of the Key Authority Officer.

A signing system which is physically and logically separated from the metadata repository retrieves unsigned metadata from the repository, combines it together with eduGAIN metadata and requests the HSM to sign the metadata using a service account which can only request signing operations - it cannot perform any other operations on the HSM.

Once signed metadata is verified, it is published to metadata distribution endpoints from which various parties (InCommon metadata consumers) retrieve it, and verify the signature, thus ensuring the metadata has not been tampered with by a third partyIn the same way that a bank deposit box requires two distinct physical keys, the metadata signing process requires two human actors, a Key Authority Officer and a Technical Authority Officer. Only the Key Authority Officer can access the safe while only the Technical Authority Officer can run the software process. Both are needed to complete the metadata signing process. Each limits the actions of the other.