...
Explicit Signing Key
Div |
---|
Wiki Markup |
---|
{div:style= | | | | | | |
}Case 1: {:= } {span}{div} |
Preconditions:
- There is an
<md:KeyDescriptor use="signing">
element in metadata. - The software is configured to use the corresponding private key as a signing key and/or an TLS key.
...
Explicit Encryption Key
Div |
---|
Wiki Markup |
---|
{div:style= | | | | | | |
}Case 2: {:= } {span}{div} |
Preconditions:
- There is an
<md:KeyDescriptor use="encryption">
element in metadata. - The software is configured to use the corresponding private key as a decryption key.
...
Multipurpose Keys
Div |
---|
Wiki Markup |
---|
{div:style= | | | | | | |
}Case 3a: {:= } {span} and {span:style= and } {span}{div} |
This case is essentially a concurrent execution of the algorithms in Cases 1 and 2. Apply this sequence of steps when the two key descriptors contain the same key.
...
- Configure the software to use the new decryption key in addition to the old decryption key
- Update the metadata as follows:
- Add the new
<md:KeyDescriptor use="signing">
element to metadata - Add the new
<md:KeyDescriptor use="encryption">
element to metadata - Remove the old
<md:KeyDescriptor use="encryption">
element from metadata - Leave the old
<md:KeyDescriptor use="signing">
element in metadata
- Wait for the newly updated metadata to propagate
- Configure the software as follows:
- Use the new key (instead of the old key) as the signing key and/or TLS key
- Use the new decryption key only (i.e., discontinue use of the old decryption key)
- Remove the old
<md:KeyDescriptor use="signing">
element from metadata
Div |
---|
Wiki Markup |
---|
{div:style= | | | | |
}Case 3b: {:= }{span}{div} |
This case is essentially a concurrent execution of the algorithms in Cases 1 and 2.
...
- Configure the software to use the new decryption key in addition to the old decryption key
- Update the metadata as follows:
- Add the new
<md:KeyDescriptor>
element (with no use
XML attribute) - Change the old
<md:KeyDescriptor>
element to an <md:KeyDescriptor use="signing">
element
- Wait for the newly updated metadata to propagate
- Configure the software as follows:
- Use the new key (instead of the old key) as the signing key and/or TLS key
- Use the new decryption key only (i.e., discontinue use of the old decryption key)
- Remove the old
<md:KeyDescriptor use="signing">
element from metadata
Div |
---|
Wiki Markup |
---|
{div:style= | | | | |
}Case 3c: {:= }{span}{div} |
This case is essentially a sequential execution of the algorithms in Cases 1 and 2.
...