Page History

...

1. InCommon Operations will deploy two new metadata aggregates at the following permanent HTTP locations:
   • http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
   • http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)
2. Both metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037.
   • Although the signing certificate is new, the signing key is not.
3. Both metadata aggregates will be signed with the same key but will use different digest algorithms.
   • The new production metadata aggregate will be signed using a SHA-2 digest algorithm.
   • The new fallback metadata aggregate will be signed using a SHA-1 digest algorithm (which is what we use now).
4. All deployments should shall migrate to one of these the new metadata aggregates ASAP but no later than March 29, 2014.
   • The current metadata aggregate will be replaced with a redirect to the fallback metadata aggregate on March 29, 2014.
   • If your metadata process can verify an XML signature that uses a SHA-2 digest algorithm, migrate to the production metadata aggregate.
   • If your metadata process can not verify an XML signature that uses a SHA-2 digest algorithm, migrate to the fallback metadata aggregate.
5. All deployments shall migrate to the production metadata aggregate by June 30, 2014.
   • On June 30, the fallback metadata aggregate will be synced with the production metadata aggregate (i.e., both aggregates will be signed using a SHA-2 digest algorithm).

...

1. The InCommon metadata signing certificate expires on May 2, 2014.
2. The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
3. The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
   • NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
   • NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
   • See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
4. Multiple, heterogeneous services run on vhost wayf.incommonfederation.org, namely, Metadata Services and the Discovery Service. To provide better quality of service, these services need to be segregated on their own vhosts (md.incommon.org and ds.incommon.org, resp.). Note: The InCommon Federated Error Handling Service is already running on ds.incommon.org.

Actions

InCommon Operations will take the following actions:

1. Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair. Set the new certificate to expire on December 18, 2037.
2. Deploy a new production metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256).
3. Deploy a new fallback metadata aggregate that uses the new self-signed certificate and a SHA1-based signing algorithm (like we do now).
4. Advise all deployments to migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
5. Replace the current metadata aggregate with a redirect to the fallback metadata aggregate on March 29, 2014.
6. Sync the fallback metadata aggregate with the production metadata aggregate on June 30, Wiki MarkupRecommend that all deployments migrate to the new metadata aggregate ASAP but no later than \[*date TBD*\]. In particular, any deployment that (incorrectly) relies on the legacy CA *must* either stop doing so or migrate to the new metadata aggregate by March 29, 2014.

7. Wiki Markup
   ReplaceRemove the current metadata aggregate with a redirect to the new_fallback metadata aggregate_ on \[*date TBD*\].

   Create a

A discussion list will be created for administrators that have questions or problems regarding this transition.