Phase 2 Recommendations

This is a very early DRAFT set of Phase 2 Recommendations.

The following Phase 2 deliverables were included in the Phase 1 Implementation Plan:

Elicit and capture short to mid-term requirements for metadata aggregation
- Multiple metadata aggregates will be implemented in Phase 1
Devise a plan to transition the metadata signing algorithm to SHA-2
- SHA-2 is an important driver for the Phase 1 Implementation Plan
Determine the desirability, feasibility, and impact of changing the InCommon metadata distribution point
- A new vhost for XML metadata distribution will be implemented in Phase 1

The following Phase 2 deliverables are included in this Phase 2 plan:

Some Phase 2 deliverables have been deferred:

Conduct a pilot study that explores the utility of per-entity metadata as an alternative to metadata aggregates.

The method of addressing per-entity metadata shall conform to the Metadata Query Protocol
Generate a new signing key for this pilot study

Conduct a feasibility study on the potential uses of Hardware Security Modules (HSMs) to secure XML signing keys.

An HSM for the current metadata signing key
1. On-premise deployment
2. Impact: The current metadata production process that results in three (3) signed SAML metadata aggregates (production, preview, fallback)
An HSM for a new metadata signing key
1. On-premise or cloud deployment
2. Impact: A new post-process that consumes the InCommon production metadata aggregate and produces a set of signed, per-entity metadata
3. Impact: A new post-process that consumes the InCommon production metadata aggregate and an alternate source of metadata (such as the eduGAIN metadata aggregate) to produce a combined metadata aggregate
An HSM for a new IdP signing key
1. On-premise or cloud deployment
2. Impact: The production Multifactor IdP Proxy, an instance of simpleSAMLphp