...
A plan to implement the Phase 1 Recommendations of the Metadata Distribution WG is emerging:
Relevant factsDrivers:
- The InCommon metadata signing certificate expires on May 2, 2014.
- The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
- The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
- NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
- NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
- See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
...
- Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair. Set the new certificate to expire on December 18, 2037.
- Deploy a new metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256).
Wiki Markup Recommend that all deployments migrate to the new metadata aggregate ASAP but no later than \[*date TBD*\]. In particular, any deployment that (incorrectly) relies on the legacy CA *must* either stop doing so or migrate to the new metadata aggregate by March 29, 2014.
Wiki Markup Replace the current metadata aggregate with a redirect to the new metadata aggregate on \[*date TBD*\].
- Create a discussion list for administrators that have questions or problems regarding this transition.
Assumption:
It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. The security implications of metadata refresh are discussed on the Metadata Consumption wiki page:
Regular metadata refresh protects users against spoofing and phishing, and is a necessary precaution in the event of key compromise. Failure to refresh metadata exposes you, your users, and other Federation participants to unnecessary risk.