...
- The InCommon metadata signing certificate expires on May 2, 2014.
- The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
- The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
- NIST deprecated the use of SHA-1 in conjunction with digital signatures on January 1, 2011.
- NIST disallows the use of SHA-1 in conjunction with digital signatures after January 1, 2014.
- See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
- Multiple, heterogeneous services run on vhost
wayf.incommonfederation.org
, namely, Metadata Services and the Discovery Service. To provide better quality of service, these services need to be segregated on their own vhosts (md.incommon.org
andds.incommon.org
, resp.). Note: The InCommon Federated Error Handling Service is already running onds.incommon.org
. - Multiple metadata aggregates will allow us to deploy changes to InCommon metadata more quickly and safely.
Actions
InCommon Operations will take the following actions:
...