Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Anchor
case1
case1

Explicit Signing Key

{div:style=
Div
Wiki Markup
style
padding-top:
2ex;
font-weight:
bold;
font-size:
larger
}Case 1: {
Span
:
style
=
font-family:
monospace
}
<md:KeyDescriptor
use="signing">
{span}{div}

Preconditions:

  • There is an <md:KeyDescriptor use="signing"> element in metadata.
  • The software is configured to use the corresponding private key as a signing key and/or an TLS key.

...

Anchor
case2
case2

Explicit Encryption Key

{div:style=
Div
Wiki Markup
style
padding-top:
2ex;
font-weight:
bold;
font-size:
larger
}Case 2: {
Span
:
style
=
font-family:
monospace
}
<md:KeyDescriptor
use="encryption">
{span}{div}

Preconditions:

  • There is an <md:KeyDescriptor use="encryption"> element in metadata.
  • The software is configured to use the corresponding private key as a decryption key.

...

Anchor
case3a
case3a

Multipurpose Keys

{div:style=
Div
Wiki Markup
style
padding-top:
2ex;
font-weight:
bold;
font-size:
larger
}Case 3a: {
Span
:
style
=
font-family:
monospace
}
<md:KeyDescriptor
use="signing">
{span} and {span:style=
and
Span
stylefont-family:
monospace
}
<md:KeyDescriptor
use="encryption">
{span}{div}

This case is essentially a concurrent execution of the algorithms in Cases 1 and 2. Apply this sequence of steps when the two key descriptors contain the same key.

...

  1. Configure the software to use the new decryption key in addition to the old decryption key
  2. Update the metadata as follows:
    1. Add the new <md:KeyDescriptor use="signing"> element to metadata
    2. Add the new <md:KeyDescriptor use="encryption"> element to metadata
    3. Remove the old <md:KeyDescriptor use="encryption"> element from metadata
    4. Leave the old <md:KeyDescriptor use="signing"> element in metadata
  3. Wait for the newly updated metadata to propagate
  4. Configure the software as follows:
    1. Use the new key (instead of the old key) as the signing key and/or TLS key
    2. Use the new decryption key only (i.e., discontinue use of the old decryption key)
  5. Remove the old <md:KeyDescriptor use="signing"> element from metadata

Anchor
case3b
case3b

{div:style=
Div
Wiki Markup
style
font-weight:
bold;
font-size:
larger
}Case 3b: {
Span
:
style
=
font-family:
monospace
}
<md:KeyDescriptor>
{span}{div}

This case is essentially a concurrent execution of the algorithms in Cases 1 and 2.

...

  1. Configure the software to use the new decryption key in addition to the old decryption key
  2. Update the metadata as follows:
    1. Add the new <md:KeyDescriptor> element (with no use XML attribute)
    2. Change the old <md:KeyDescriptor> element to an <md:KeyDescriptor use="signing"> element
  3. Wait for the newly updated metadata to propagate
  4. Configure the software as follows:
    1. Use the new key (instead of the old key) as the signing key and/or TLS key
    2. Use the new decryption key only (i.e., discontinue use of the old decryption key)
  5. Remove the old <md:KeyDescriptor use="signing"> element from metadata

Anchor
case3c
case3c

{div:style=
Div
Wiki Markup
style
font-weight:
bold;
font-size:
larger
}Case 3c: {
Span
:
style
=
font-family:
monospace
}
<md:KeyDescriptor>
{span}{div}

This case is essentially a sequential execution of the algorithms in Cases 1 and 2.

...