A plan to implement the Phase 1 Recommendations of the Metadata Distribution WG is emerging.
It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. The security implications of metadata refresh are called out on the Metadata Consumption wiki page:
Regular metadata refresh protects users against spoofing and phishing, and is a necessary precaution in the event of key compromise. Failure to refresh metadata exposes you, your users, and other Federation participants to unnecessary risk.
If you verify the digital signature on InCommon metadata (as recommended), then the following implementation plan will affect your metadata refresh process.
Recommend that all deployments migrate to the new metadata aggregate ASAP but no later than \[*date TBD*\]. In particular, any deployment that (incorrectly) relies on the legacy CA *must* either stop doing so or migrate to the new metadata aggregate by March 29, 2014. |
Replace the current metadata aggregate with a redirect to the new metadata aggregate on \[*date TBD*\]. |