...
- InCommon Operations will deploy three new metadata aggregates at the following permanent HTTP locations:
- http://md.incommon.org/InCommon/InCommon-metadata.xml (production metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback metadata)
- All metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037.
- Although the signing certificate is new, the signing key is not.
- All metadata aggregates will be signed with the same key but the fallback metadata aggregate will use a different digest algorithm.
- Both the production metadata aggregate and the preview metadata aggregate will be signed using a SHA-2 digest algorithm (specifically, SHA-256).
- The Initially, the fallback metadata aggregate will be signed using the SHA-1 digest algorithm (which is what we use now).
- All deployments shall migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
- The current metadata aggregate will be replaced with a redirect to the fallback metadata aggregate on March 29, 2014.
- If your metadata process can verify an XML signature that uses the SHA-256 digest algorithm, migrate to the production metadata aggregate or the preview metadata aggregate.
- If your metadata process can not verify an XML signature that uses the SHA-256 digest algorithm, migrate to the fallback metadata aggregate.
- All deployments shall migrate to the production metadata aggregate or the preview metadata aggregate by June 30, 2014.
- On June 30, the fallback metadata aggregate will be synced with the production metadata aggregate (i.e., all aggregates will be signed using the SHA-256 digest algorithm).
- After June 30, all metadata aggregates published by the InCommon Federation will be signed using the SHA-256 digest algorithm.
...