InCommon Operations Notifications

[Tom Scavo <>]

This is FYI. All InCommon site administrators have been notified.

Tom

PS. To manage your subscription to this mailing list, visit:
https://lists.incommon.org/sympa/info/inc-ops-notifications

----- Forwarded Message -----
From: "Tom Scavo" 
<>
Sent: Wednesday, May 9, 2012 8:52:23 AM
Subject: Re: Metadata Verification Certificate to Change on May 14, 2012

This is a followup note specifically about simpleSAMLphp. If you've deployed 
simpleSAMLphp software in the InCommon Federation, please read on.

I've just learned that the metarefresh module in simpleSAMLphp requires the 
deployer to configure the fingerprint of the metadata verification 
certificate (http://goo.gl/he9yX). Since simpleSAMLphp relies on the 
certificate (instead of the public key in the certificate), simpleSAMLphp 
deployers MUST replace the "old" fingerprint with the "new" fingerprint in 
each of their simpleSAMLphp deployments sometime between Friday, May 11 
(after you’ve refreshed metadata) and Monday, May 14 (before you refresh 
metadata), otherwise your metadata refresh process will break.

I've created an issue in the simpleSAMLphp issue tracker (follow the link 
above). I encourage you to comment on that issue so that this bug will be 
fixed in a future version of simpleSAMLphp.

Tom

----- Original Message -----
> You are receiving this message because you are an InCommon site
> administrator responsible for consuming and verifying InCommon
> metadata (https://spaces.internet2.edu/x/JwQjAQ). Please read this
> message carefully and thoroughly. Your prompt action may be
> required.
>
> If you have any questions, please contact 
> 
>
> The InCommon metadata verification certificate [1] EXPIRES on May 19,
> 2012. This "old" certificate will be renewed and replaced by a "new"
> certificate on Monday, May 14, 2012. Starting on that day, the
> signature on InCommon metadata will be based on the "new"
> certificate (instead of the "old" certificate).
>
> It is important to note that the private metadata signing key will
> NOT change. Therefore, the public keys in the "old" and "new"
> certificates are the same. [2] If your metadata verification process
> relies on the public key alone (as it should), either certificate
> will properly verify the signature on InCommon metadata. On the
> other hand, if your metadata verification process relies on the
> certificate itself, the "old" certificate will cease to verify the
> signature on production metadata after May 14, 2012.
>
> WHAT YOU NEED TO DO
> ====================
>
> It is well known that the Shibboleth software (in its default
> configuration) verifies metadata using the public key only. [3]
> Therefore, if you are using Shibboleth, there is nothing you need to
> do. Even so, it is recommended that you download and use the "new"
> certificate in your deployment at your discretion. This can be done
> at any time.
>
> If you are using something other than the Shibboleth software, or
> verifying the signature on metadata with some other tool, it may or
> may not be relying on the public key alone. If not, you MUST
> download the "new" certificate, replacing the "old" certificate in
> your deployment before Monday, May 14. Failure to do so will cause
> your metadata verification process to fail starting on that date.
>
> A deployment that does not rely on the public key alone (all
> non-Shibboleth deployments are suspect) should replace the "old"
> certificate with the "new" certificate sometime between Friday, May
> 11 (after you’ve refreshed metadata) and Monday, May 14 (before you
> refresh metadata). Prior to this, test metadata (see below) may be
> used to test the "new" certificate before it is deployed to
> production.
>
> FILES
> =====
>
> The "new" certificate (incommon-test.pem) is currently stored
> alongside the "old" certificate (incommon.pem) on the server. The
> "new" certificate will be moved to its permanent location
> (incommon.pem) on May 14. Also on that day, a copy of the "old"
> certificate (incommon-exp_2012-05-19.pem) will be saved for backup
> purposes.
>
> The "old" certificate will continue to work with production metadata
> until May 14. [4] From that day forward, the signature on production
> metadata will be based on the "new" certificate. For testing
> purposes between now and May 14, test metadata is provided. The
> signature on test metadata is based on the "new" certificate. [5]
> Other than the signature, production metadata and test metadata are
> identical throughout the test period. [6]
>
> The "old" certificate (expires May 19, 2012):
> https://wayf.incommonfederation.org/bridge/certs/incommon.pem
> https://wayf.incommonfederation.org/bridge/certs/incommon-exp_2012-05-19.pem
>
> The "new" certificate (expires May 2, 2014):
> https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
>
> Production metadata with signature based on the "old" certificate:
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
>
> Test metadata with signature based on the "new" certificate:
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
>
> NOTES
> ======
>
> [1] The InCommon metadata verification certificate is an X.509
> certificate containing the public key corresponding to the private
> metadata signing key. Metadata clients use the certificate to verify
> the signature on InCommon metadata.
>
> [2] The following commands show that the public keys in the "old" and
> "new" certificates are the same:
>
> $ curl --silent --create-dirs --output certs/incommon.pem \
>    https://wayf.incommonfederation.org/bridge/certs/incommon.pem
> $ openssl x509 -sha1 -in certs/incommon.pem -noout -fingerprint
> SHA1
> Fingerprint=74:27:8F:96:7C:F1:BF:CA:AA:1B:41:AF:B6:33:64:48:A2:15:0E:B4
> $ openssl x509 -in certs/incommon.pem -noout -enddate
> notAfter=May 19 12:58:29 2012 GMT
> $ openssl x509 -in certs/incommon.pem -noout -modulus
> Modulus=D0285D92B9FE746E598F92F7508C3EC5E5A03739BC6A3C3BFC5CAA450D528C3E0B7E0D9609D95F8CEAD818D9D564C0937C8B685D34A9838AD7C4742CCA478D89846EDBED36B8C4BED699C1A968F374F244D2877EABC11B76F13A4A18A68F2367D3241F1B240A08D758B9CFBBE4C207B1A20E004B43654493F52778A1E535CD18D5DAC1AF51DF89147BDE5008517346FE24465F204BAAFCB214F6AC66FFE80569AC259A88D93F2396675265B306EBAC9618CA7D74AA09C9BE387D8195972A398FC6ABC72897004CF84087681619A6D64D704909C90C7B586B1C297FBDB0CB0A6CF4FE862EA1A483CCFEB313D61203FC42A656870349A80B556CD87E4C3901A57B
>
> $ curl --silent --create-dirs --output certs/incommon-test.pem \
>    https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
> $ openssl x509 -sha1 -in certs/incommon-test.pem -noout -fingerprint
> SHA1
> Fingerprint=96:0F:3B:32:87:D5:C3:A4:9F:50:B6:B7:84:33:48:7C:C2:C3:0D:C2
> $ openssl x509 -in certs/incommon-test.pem -noout -enddate
> notAfter=May  2 20:42:16 2014 GMT
> $ openssl x509 -in certs/incommon-test.pem -noout -modulus
> Modulus=D0285D92B9FE746E598F92F7508C3EC5E5A03739BC6A3C3BFC5CAA450D528C3E0B7E0D9609D95F8CEAD818D9D564C0937C8B685D34A9838AD7C4742CCA478D89846EDBED36B8C4BED699C1A968F374F244D2877EABC11B76F13A4A18A68F2367D3241F1B240A08D758B9CFBBE4C207B1A20E004B43654493F52778A1E535CD18D5DAC1AF51DF89147BDE5008517346FE24465F204BAAFCB214F6AC66FFE80569AC259A88D93F2396675265B306EBAC9618CA7D74AA09C9BE387D8195972A398FC6ABC72897004CF84087681619A6D64D704909C90C7B586B1C297FBDB0CB0A6CF4FE862EA1A483CCFEB313D61203FC42A656870349A80B556CD87E4C3901A57B
>
> [3] The default trust engine in both the Shibboleth IdP and SP is the
> Explicit Key Trust Engine, which relies on the public key alone.
> Therefore, if you are using the default Shibboleth configuration,
> there is nothing you need to do.
>
> [4] See the Metadata Consumption wiki page
> (https://spaces.internet2.edu/x/JwQjAQ) for instructions on how to
> verify the signature and validate the schema on production metadata
> using XmlSecTool.
>
> [5] The following commands show how to verify the signature and
> validate the schema on test metadata using the "new" certificate:
>
> $ curl --silent --create-dirs --output certs/incommon-test.pem \
>    https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
> $ curl --silent --create-dirs --output
> metadata/InCommon-metadata-test.xml \
>    http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
> $ ./xmlsectool-1.1.5/xmlsectool.sh --verifySignature
> --signatureRequired \
>    --certificate certs/incommon-test.pem --inFile
>    metadata/InCommon-metadata-test.xml
> INFO  XmlSecTool - Reading XML document from file
> 'metadata/InCommon-metadata-test.xml'
> INFO  XmlSecTool - XML document parsed and is well-formed.
> INFO  XmlSecTool - XML document signature verified.
> $ ./xmlsectool-1.1.5/xmlsectool.sh --validateSchema --schemaDirectory
> schema-files \
>    --inFile metadata/InCommon-metadata-test.xml
> INFO  XmlSecTool - Reading XML document from file
> 'metadata/InCommon-metadata-test.xml'
> INFO  XmlSecTool - XML document parsed and is well-formed.
> INFO  XmlSecTool - XML document is schema valid
>
> [6] The following command shows that production metadata and test
> metadata are identical except for the signature:
>
> $ diff metadata/InCommon-metadata.xml
> metadata/InCommon-metadata-test.xml
> 1c1
> < <?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor
> xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> ID="INC20120503T190316" Name="urn:mace:incommon"
> validUntil="2012-05-17T23:00:00Z"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
> sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
> shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
> xmldsig-core-schema.xsd"><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> ---
> > <?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor
> > xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> > xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > ID="INC20120503T190252" Name="urn:mace:incommon"
> > validUntil="2012-05-17T23:00:00Z"
> > xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
> > sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
> > shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
> > xmldsig-core-schema.xsd"><ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> 5c5
> < <ds:Reference URI="#INC20120503T190316">
> ---
> > <ds:Reference URI="#INC20120503T190252">
> 11c11
> < <ds:DigestValue>/XxuXjX0+Wa51ZBFOee3nxVL7cA=</ds:DigestValue>
> ---
> > <ds:DigestValue>3Qh9cVU2gnNjAoLcTguCRnLqwUI=</ds:DigestValue>
> 15,19c15,19
> <
> JwoetFfLUaM+C+bXHbf74jFFGGSmWMdq/ug0+zNSPRATbxaABMR0NUsbUAKbYH0iq0nSkw9MN5+H
> <
> 8Spy1B+oV8Qb3/YTKGzGVgirJasR3lFgS7toL800uY0LT0nGANhI1MFt5TvE73hITk5nqW9QWESS
> <
> cxl4vM9OXvMwf1FBPAfa1TMdeVBjQ55R7wiHIiBTQ/xD8uIPLa57PRfpgRIIOEdtlb35FAdfTHAV
> <
> pp30gpSR84huJPThkYppIXy4r6dcpGQhAu6bAngPEzP0Kzel9VHHE8hzTJtnO8lHNeV5gQM0ht3c
> < WP5OECvtiNJR26m0AH3105MIUsOkXS7T5erFgw==
> ---
> > KDhejZ47wGmW10HxT5poAH5Bpxkv8A0mDe8KJSbnxbYO1+MApJQ+sHnNNv1cWd06JVksxYMx/FyN
> > HvWcpSgG9RHAT4AUJfTBwX8VGKXJp9/78Wh4gPc+d6s0cnEar6MzjjEHUnXoDyCsNHZOKIpM1Ge7
> > x9tE20hFfQJEhdBmtkGt7UU01df+rpM2YjYi0t1UIy4GyPCug1JlQ58rcS/247awdMZPD6uJud3l
> > fiQR/pyGDU0E5aaSp+xcsgCtUjukJLIAkCy4a9YBEY3DAvcj0vrqDR5VRcxGSvQOTwBG6PT5VQ9H
> > nfBU/ughpWqS4a1g+WpRpsyz1lGxI67xxEahwQ==
> 36c36
> <
> MIIFqTCCBJGgAwIBAgICArowDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
> ---
> > MIIFqTCCBJGgAwIBAgICArswDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
> 38c38
> <
> aG9yaXR5MB4XDTEwMDUxOTEyNTgyOVoXDTEyMDUxOTEyNTgyOVowJzElMCMGA1UEAxMcZmVkb3Au
> ---
> > aG9yaXR5MB4XDTEyMDUwMTIwNDIxNloXDTE0MDUwMjIwNDIxNlowJzElMCMGA1UEAxMcZmVkb3Au
> 57,61c57,61
> <
> RtypKF+3/5z48gZktwIXEUwW/J1ROYvPTvMrtuVyzroBCGp4HfNLuMm6F8BVSrTHqVGLFGrGM8md
> <
> zU+FQdsM/x0W/cc0A4mHLwM4XDDVcH6nepwLZX9H1AfaxYgIGrJL+l8JDWtmEn/ktSij4y4HlA2q
> <
> 5kH+UyEwxFuqEUEd2EnL8agjjxiacJYeTon23pbWGe20QTPq45YM5q1G44RCYIhljSYth4FX9vBw
> <
> 7n4jH21HpsHTk2gDOkBwXXgiebknnAnPI2jz5mNgEAabhGkDrnGIttEEREcWlOuLdgc8uDUjHO/X
> < Dsw27l4YFl6/OG92XPlCOYVQCqSmp0OdTViV9A==
> ---
> > Kwvdnua6MWUE/Id5QloGnZxBLj5k/cl+hJap0w6L3kqpV+pVh7tpW98ZSwA+HSwpXDlVr1m7kyvM
> > 70GWQNdOw3sOPRdpVNGwb6DFOtWymZwkKJ+smCLkXXCeuT5TEFaWmkjjb5mVmRtn3/LWhZqI/xUB
> > xndYUnptXrEpI9gwoqZ8K5YsxVhHWs6l/sH0SXpQq/o8wTwO3CBr+SrSo5rm1nTyS3sK7ezXhQJ7
> > ryqPlBuEGc823KzwBPTLftWPegG3ab1ZuhEY/fcSVx+dz1CpYGnrsq2ugQKwBXZKMNNemyGLmGuX
> > VXTe2CcrydNM1m1LSs7KE7COdFrZYDZGS08G/w==
>
>