...
- The InCommon metadata signing certificate expires on May 2, 2014.
- The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
- The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
- NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
- NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
- See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
- Multiple, heterogeneous services run on vhost wayf.incommonfederation.org, namely, metadata services and discovery services. To provide better quality of service, these services need to be segregated on their own vhosts (md.incommon.org and ds.incommon.org, resp.).
Actions
- Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair. Set the new certificate to expire on December 18, 2037.
- Deploy a new metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256).
Wiki Markup Recommend that all deployments migrate to the new metadata aggregate ASAP but no later than \[*date TBD*\]. In particular, any deployment that (incorrectly) relies on the legacy CA *must* either stop doing so or migrate to the new metadata aggregate by March 29, 2014.
Wiki Markup Replace the current metadata aggregate with a redirect to the new metadata aggregate on \[*date TBD*\].
- Create a discussion list for administrators that have questions or problems regarding this transition.