...
A plan to implement the Phase 1 Recommendations of the Metadata Distribution WG is emerging.
Executive Summary
- A new metadata aggregate will be deployed, at a new HTTP location.
- The digital signature on the new metadata aggregate will be upgraded.
- The signing certificate is new (but the signing key is not).
- The digital signature on the new metadata aggregate employs a SHA-2 digest algorithm.
Wiki Markup *All deployments are encouraged to migrate to the new metadata aggregate ASAP but no later than \[date TBD\]*.- Some non-standard deployments may be required to take action by March 29, 2014.
Assumptions
It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. The security implications of metadata refresh are called out on the Metadata Consumption wiki page:
...
If you verify the digital signature on InCommon metadata (as recommended), then the following implementation plan will affect your metadata refresh process. Even if you don't verify the signature (not recommended), the HTTP location of InCommon metadata is changing.
Drivers
- The InCommon metadata signing certificate expires on May 2, 2014.
- The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
- The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
- NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
- NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
- See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
...