...
This document is a DRAFT plan to implement the Phase 1 Recommendations of the Metadata Distribution WG.
Executive Summary
- A InCommon Operations will deploy two new metadata aggregates at the following permanent HTTP locations:
- http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)
- Both metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037.
- Although the signing certificate is new, the signing key is not.
- Both metadata aggregates will be signed with the same key but will use different digest algorithms.
- The new production metadata aggregate will be signed using
- The signing certificate is new (but the signing key is not). The digital signature on the new metadata aggregate employs
- a SHA-2 digest algorithm.
- The new fallback metadata aggregate will be signed using a SHA-1 digest algorithm (which is what we use now).
- All deployments should migrate to one of these new metadata aggregates ASAP but no later than March 29, 2014.
- The current metadata aggregate will be replaced with a redirect to the fallback metadata aggregate on March 29, 2014.
- If your metadata process can verify an XML signature that uses a SHA-2 digest algorithm, migrate to the production metadata aggregate.
- If your metadata process can not verify an XML signature that uses a SHA-2 digest algorithm, migrate to the fallback metadata aggregate.
- All deployments shall migrate to the production metadata aggregate by June 30, 2014.
- On June 30, the fallback metadata aggregate will be synced with the production metadata aggregate (i.e., both aggregates will be signed using a SHA-2 digest algorithm)
Some non-standard deployments may be required to take action by March 29, 2014Wiki Markup *All deployments are encouraged to migrate to the new metadata aggregate ASAP but no later than \[date TBD\]*.
- .
Current Policy
It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. The security implications of metadata refresh are discussed on the Metadata Consumption wiki page:
...