Versions Compared

Old Version 19

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 20

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
  • http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)

Note the new vhost md.incommon.org. Moving forward, all new metadata services will be deployed on vhost md.incommon.org.

Multiple, heterogeneous services currently run on vhost wayf.incommonfederation.org, namely, Metadata Services and the InCommon Discovery Service. To provide better quality of service, these services need to be segregated onto their own vhosts (md.incommon.org and ds.incommon.org, resp.). Note: The InCommon Federated Error Handling Service is already running on ds.incommon.org.

Is the current HTTP location of InCommon metadata going away?

Yes. All metadata services on vhost wayf.incommonfederation.org will be decommissioned on March 29, 2014. At that time, we will install a redirect to the new fallback metadata aggregate.

Note
titleAll deployments should migrate ASAP

All deployments should migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.

The InCommon metadata signing certificate expires on May 2, 2014. More importantly, the InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014. This is why we chose the above migration deadline.

Both metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037. We don't intend to resign the metadata signing certificate unless it's absolutely necessary. Note that although the signing certificate is new, the signing key is not.

Why are there TWO new metadata aggregates?

Both metadata aggregates will be signed with the same key but will use different digest algorithms:

  • The new production metadata aggregate will be signed using a SHA-2 digest algorithm.
  • The new fallback metadata aggregate will be signed using a SHA-1 digest algorithm (which is what we use now).

Currently the XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm:

  • NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
  • NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
  • See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4

This is why we're moving to a SHA-2 digest algorithm.

What is a "fallback metadata aggregate?"

...