Metadata Distribution Working Group of the InCommon Technical Advisory Committee (TAC)
Instructions for editing this page here.
Weekly Teleconferences
TIME
Thursdays, 12pm ET | 9am PT
PHONE
(734) 615-7474 (please use if you do not pay for long distance)
(866) 411-0013 (toll-free in US and Canada)
Access Code: 0169395#
Action Items tracking
AI Add a third deliverable in phase 1 about communication to participants
AI FOPP will need to be updated. Necessary documentation around the signing key is important if not in a CP/CPS
AI Scott will email Leif about any IETF or related standards that address key management outside of the CP/CPS model
AI Tom will contact SSP devs to discuss the fingerprint-based-on-certificate-wrapper issue (see: SSP discussion thread)
AI InCommon Operations to discuss test and fall back environment for publishing MDAs.
AI John will review what REFeds has available on the Federation Policy template front.
AI John will draft a concensus for the working group to approve next meeting, in order to conclude its Phase 1 recommendations.
AI Scott will write requirements for Ops for per entity MD testing.
AI Tom will contact SSP devs to determine if SSP is compatible with SHA-2 (see: SSP discussion thread on SHA-2 compatibility)
Mailing list
Posting address: md-distro@incommon.org (subscribe or unsubscribe)
Archives: https://lists.incommon.org/sympa/arc/md-distro
List homepage: https://lists.incommon.org/sympa/info/md-distro
General information about InCommon mailing lists: https://lists.incommon.org/sympa/help/introduction
Mission/Goals
The mission of the Metadata Distribution Working Group is to develop a future-facing technical strategy for our metadata signing and distribution system.
We currently sign metadata using a signing key and certificate that is rooted in a traditional CA. The CA root certificate expires Mar 29 20:34:00 2014 GMT. This working group will determine whether we simply renew, reissue, or come up with alternative approaches to signing the main InCommon public metadata aggregate.
The current method of metadata distribution relies on frequent local refreshes of a centrally maintained, monolithic metadata file containing all entities in the Federation. This distribution method will not scale if InCommon continues to grow at an exponential rate or for interfederation to succeed. Therefore, this working group is intended to help define, develop, and encourage the deployment of a new model of metadata distribution. Analogies have been made to the shift from /etc/hosts files to DNS, but the Internet Border Gateway Protocol (BGP) is thought by some to be closer to what is needed. In any case, substantial preparatory work has been developed (see this page summarizing TAC discussions regarding Metadata Distribution).
Deliverables for Phase 1
Determine the fate of the metadata signing key.
- Determine if the current metadata signing key and certificate needs to be replaced or renewed.
- Determine if the key pair requires a traditional PKI.
- Communicate to InCommon participants expectations and any required or recommended actions needed
Phase 1 completion date: End of August 2013
Deliverables for Phase 2
Discuss, explore, and recommend alternative approaches to metadata distribution.
- Elicit and capture requirements around metadata distribution
- short to mid-term requirements for metadata aggregation
- longer term requirements for per entity metadata
- Devise a plan to transition the metadata signing algorithm to SHA-2
- this will be considered after SHA-2 testing of IdP endpoints is completed by TAC and Ops.
- the UK federation has blazed a welcome path for recommendation
- Determine the desirability, feasibility, and impact of changing the InCommon metadata distribution point
- an outcome of the mid-term and long-term requirements discussion
- Analyze and document alternative approaches to metadata distribution, and recommend one or more methods of metadata distribution for InCommon for the foreseeable future
Issues include:
- new endpoints for signed XML metadata distribution
- new signing key
- MDX support
- per-entity metadata
- per-organization metadata
- metadata aggregates based on self-asserted entity attributes
- support for both XML and JSON formats (both signed)
Phase 2 completion date: End of December 2013
Membership
Membership in the working group is open to all interested parties. Members join the working group by joining the mailing list, phone calls, and otherwise participating actively in the work of the group. The chair of the working group is appointed by the InCommon TAC and is responsible for keeping the TAC informed regarding working group status. John Krienke is the current chair.
Minutes
References
InCommon Federation CA CPS -- PDF version online here. This CA is a long-standing self-signed CA, not to be confused with the InCommon Certificate service.
Terms
- MD - metadata - SAML metadata for a given entity descriptor
- MDA - metadata aggregate - a signed set of entity descriptor metadata
- MDX - metadata query - a specification submitted to IETF, latest draft available here
Artifacts
- Phase 1 Recommendations to the InCommon TAC
- Metadata Query Protocol: A Consensus