Phase 1 Implementation Plan

This document is a DRAFT plan to implement the Phase 1 Recommendations of the Metadata Distribution WG.

Executive Summary

  1. A new metadata aggregate will be deployed, at a new HTTP location.
  2. The digital signature on the new metadata aggregate will be upgraded.
    1. The signing certificate is new (but the signing key is not).
    2. The digital signature on the new metadata aggregate employs a SHA-2 digest algorithm.
  3. *All deployments are encouraged to migrate to the new metadata aggregate ASAP but no later than \[date TBD\]*.
    1. Some non-standard deployments may be required to take action by March 29, 2014.


It is strongly recommended that InCommon SPs and IdPs refresh and verify metadata at least daily. The security implications of metadata refresh are called out on the Metadata Consumption wiki page:

Regular metadata refresh protects users against spoofing and phishing, and is a necessary precaution in the event of key compromise. Failure to refresh metadata exposes you, your users, and other Federation participants to unnecessary risk.

If you verify the digital signature on InCommon metadata (as recommended), then the following implementation plan may affect your metadata refresh process. Even if you don't verify the signature (which is not recommended), note that the HTTP location of InCommon metadata is changing.


  1. The InCommon metadata signing certificate expires on May 2, 2014.
  2. The InCommon metadata signing certificate is signed by a legacy CA whose certificate expires on March 29, 2014.
  3. The XML signature on InCommon metadata uses a deprecated (and soon-to-be disallowed) SHA-1 digest algorithm.
  4. Multiple, heterogeneous services run on vhost, namely, metadata services and discovery services. To provide better quality of service, these services need to be segregated on their own vhosts ( and, resp.).


  1. Replace the current signing certificate with a long-lived, self-signed certificate based on the current key pair. Set the new certificate to expire on December 18, 2037.
  2. Deploy a new metadata aggregate that uses the new self-signed certificate and a SHA2-based signing algorithm (specifically, SHA-256).
  3. Recommend that all deployments migrate to the new metadata aggregate ASAP but no later than \[*date TBD*\]. In particular, any deployment that (incorrectly) relies on the legacy CA *must* either stop doing so or migrate to the new metadata aggregate by March 29, 2014.
  4. Replace the current metadata aggregate with a redirect to the new metadata aggregate on \[*date TBD*\].
  5. Create a discussion list for administrators that have questions or problems regarding this transition.