...
- Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair.
- Set the new certificate to expire on December 18, 2037.
- Deploy a new production metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256).
- Deploy a new fallback metadata aggregate that uses the new self-signed certificate and a SHA1-based signing algorithm (like we do now).
- Advise all deployments to migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
- Replace the current metadata aggregate with a redirect to the fallback metadata aggregate on March 29, 2014.
- Sync the fallback metadata aggregate with the production metadata aggregate on June 30, 2014.
Wiki Markup Remove the redirect to the _fallback metadata aggregate_ on \[*date TBD*\].
...