InCommon Operations Notifications

[Tom Scavo <>]

FYI, the "new" certificate has been included in a special production metadata 
run. From here on out, the "new" certificate will be used exclusively.

Please check your metadata refresh process to make sure it is functioning 
properly. If you see a problem, contact 

 asap.

Tom Scavo
Operations Manager
InCommon.org
https://twitter.com/trscavo


----- Original Message -----
> This is a followup note specifically about simpleSAMLphp. If you've
> deployed simpleSAMLphp software in the InCommon Federation, please
> read on.
>
> I've just learned that the metarefresh module in simpleSAMLphp
> requires the deployer to configure the fingerprint of the metadata
> verification certificate (http://goo.gl/he9yX). Since simpleSAMLphp
> relies on the certificate (instead of the public key in the
> certificate), simpleSAMLphp deployers MUST replace the "old"
> fingerprint with the "new" fingerprint in each of their
> simpleSAMLphp deployments sometime between Friday, May 11 (after
> you’ve refreshed metadata) and Monday, May 14 (before you refresh
> metadata), otherwise your metadata refresh process will break.
>
> I've created an issue in the simpleSAMLphp issue tracker (follow the
> link above). I encourage you to comment on that issue so that this
> bug will be fixed in a future version of simpleSAMLphp.
>
> Tom
>
> ----- Original Message -----
> > You are receiving this message because you are an InCommon site
> > administrator responsible for consuming and verifying InCommon
> > metadata (https://spaces.internet2.edu/x/JwQjAQ). Please read this
> > message carefully and thoroughly. Your prompt action may be
> > required.
> >
> > If you have any questions, please contact 
> > 
> >
> > The InCommon metadata verification certificate [1] EXPIRES on May
> > 19,
> > 2012. This "old" certificate will be renewed and replaced by a
> > "new"
> > certificate on Monday, May 14, 2012. Starting on that day, the
> > signature on InCommon metadata will be based on the "new"
> > certificate (instead of the "old" certificate).
> >
> > It is important to note that the private metadata signing key will
> > NOT change. Therefore, the public keys in the "old" and "new"
> > certificates are the same. [2] If your metadata verification
> > process
> > relies on the public key alone (as it should), either certificate
> > will properly verify the signature on InCommon metadata. On the
> > other hand, if your metadata verification process relies on the
> > certificate itself, the "old" certificate will cease to verify the
> > signature on production metadata after May 14, 2012.
> >
> > WHAT YOU NEED TO DO
> > ====================
> >
> > It is well known that the Shibboleth software (in its default
> > configuration) verifies metadata using the public key only. [3]
> > Therefore, if you are using Shibboleth, there is nothing you need
> > to
> > do. Even so, it is recommended that you download and use the "new"
> > certificate in your deployment at your discretion. This can be done
> > at any time.
> >
> > If you are using something other than the Shibboleth software, or
> > verifying the signature on metadata with some other tool, it may or
> > may not be relying on the public key alone. If not, you MUST
> > download the "new" certificate, replacing the "old" certificate in
> > your deployment before Monday, May 14. Failure to do so will cause
> > your metadata verification process to fail starting on that date.
> >
> > A deployment that does not rely on the public key alone (all
> > non-Shibboleth deployments are suspect) should replace the "old"
> > certificate with the "new" certificate sometime between Friday, May
> > 11 (after you’ve refreshed metadata) and Monday, May 14 (before you
> > refresh metadata). Prior to this, test metadata (see below) may be
> > used to test the "new" certificate before it is deployed to
> > production.
> >
> > FILES
> > =====
> >
> > The "new" certificate (incommon-test.pem) is currently stored
> > alongside the "old" certificate (incommon.pem) on the server. The
> > "new" certificate will be moved to its permanent location
> > (incommon.pem) on May 14. Also on that day, a copy of the "old"
> > certificate (incommon-exp_2012-05-19.pem) will be saved for backup
> > purposes.
> >
> > The "old" certificate will continue to work with production
> > metadata
> > until May 14. [4] From that day forward, the signature on
> > production
> > metadata will be based on the "new" certificate. For testing
> > purposes between now and May 14, test metadata is provided. The
> > signature on test metadata is based on the "new" certificate. [5]
> > Other than the signature, production metadata and test metadata are
> > identical throughout the test period. [6]
> >
> > The "old" certificate (expires May 19, 2012):
> > https://wayf.incommonfederation.org/bridge/certs/incommon.pem
> > https://wayf.incommonfederation.org/bridge/certs/incommon-exp_2012-05-19.pem
> >
> > The "new" certificate (expires May 2, 2014):
> > https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
> >
> > Production metadata with signature based on the "old" certificate:
> > http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
> >
> > Test metadata with signature based on the "new" certificate:
> > http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
> >
> > NOTES
> > ======
> >
> > [1] The InCommon metadata verification certificate is an X.509
> > certificate containing the public key corresponding to the private
> > metadata signing key. Metadata clients use the certificate to
> > verify
> > the signature on InCommon metadata.
> >
> > [2] The following commands show that the public keys in the "old"
> > and
> > "new" certificates are the same:
> >
> > $ curl --silent --create-dirs --output certs/incommon.pem \
> >    https://wayf.incommonfederation.org/bridge/certs/incommon.pem
> > $ openssl x509 -sha1 -in certs/incommon.pem -noout -fingerprint
> > SHA1
> > Fingerprint=74:27:8F:96:7C:F1:BF:CA:AA:1B:41:AF:B6:33:64:48:A2:15:0E:B4
> > $ openssl x509 -in certs/incommon.pem -noout -enddate
> > notAfter=May 19 12:58:29 2012 GMT
> > $ openssl x509 -in certs/incommon.pem -noout -modulus
> > Modulus=D0285D92B9FE746E598F92F7508C3EC5E5A03739BC6A3C3BFC5CAA450D528C3E0B7E0D9609D95F8CEAD818D9D564C0937C8B685D34A9838AD7C4742CCA478D89846EDBED36B8C4BED699C1A968F374F244D2877EABC11B76F13A4A18A68F2367D3241F1B240A08D758B9CFBBE4C207B1A20E004B43654493F52778A1E535CD18D5DAC1AF51DF89147BDE5008517346FE24465F204BAAFCB214F6AC66FFE80569AC259A88D93F2396675265B306EBAC9618CA7D74AA09C9BE387D8195972A398FC6ABC72897004CF84087681619A6D64D704909C90C7B586B1C297FBDB0CB0A6CF4FE862EA1A483CCFEB313D61203FC42A656870349A80B556CD87E4C3901A57B
> >
> > $ curl --silent --create-dirs --output certs/incommon-test.pem \
> >    https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
> > $ openssl x509 -sha1 -in certs/incommon-test.pem -noout
> > -fingerprint
> > SHA1
> > Fingerprint=96:0F:3B:32:87:D5:C3:A4:9F:50:B6:B7:84:33:48:7C:C2:C3:0D:C2
> > $ openssl x509 -in certs/incommon-test.pem -noout -enddate
> > notAfter=May  2 20:42:16 2014 GMT
> > $ openssl x509 -in certs/incommon-test.pem -noout -modulus
> > Modulus=D0285D92B9FE746E598F92F7508C3EC5E5A03739BC6A3C3BFC5CAA450D528C3E0B7E0D9609D95F8CEAD818D9D564C0937C8B685D34A9838AD7C4742CCA478D89846EDBED36B8C4BED699C1A968F374F244D2877EABC11B76F13A4A18A68F2367D3241F1B240A08D758B9CFBBE4C207B1A20E004B43654493F52778A1E535CD18D5DAC1AF51DF89147BDE5008517346FE24465F204BAAFCB214F6AC66FFE80569AC259A88D93F2396675265B306EBAC9618CA7D74AA09C9BE387D8195972A398FC6ABC72897004CF84087681619A6D64D704909C90C7B586B1C297FBDB0CB0A6CF4FE862EA1A483CCFEB313D61203FC42A656870349A80B556CD87E4C3901A57B
> >
> > [3] The default trust engine in both the Shibboleth IdP and SP is
> > the
> > Explicit Key Trust Engine, which relies on the public key alone.
> > Therefore, if you are using the default Shibboleth configuration,
> > there is nothing you need to do.
> >
> > [4] See the Metadata Consumption wiki page
> > (https://spaces.internet2.edu/x/JwQjAQ) for instructions on how to
> > verify the signature and validate the schema on production metadata
> > using XmlSecTool.
> >
> > [5] The following commands show how to verify the signature and
> > validate the schema on test metadata using the "new" certificate:
> >
> > $ curl --silent --create-dirs --output certs/incommon-test.pem \
> >    https://wayf.incommonfederation.org/bridge/certs/incommon-test.pem
> > $ curl --silent --create-dirs --output
> > metadata/InCommon-metadata-test.xml \
> >    http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
> > $ ./xmlsectool-1.1.5/xmlsectool.sh --verifySignature
> > --signatureRequired \
> >    --certificate certs/incommon-test.pem --inFile
> >    metadata/InCommon-metadata-test.xml
> > INFO  XmlSecTool - Reading XML document from file
> > 'metadata/InCommon-metadata-test.xml'
> > INFO  XmlSecTool - XML document parsed and is well-formed.
> > INFO  XmlSecTool - XML document signature verified.
> > $ ./xmlsectool-1.1.5/xmlsectool.sh --validateSchema
> > --schemaDirectory
> > schema-files \
> >    --inFile metadata/InCommon-metadata-test.xml
> > INFO  XmlSecTool - Reading XML document from file
> > 'metadata/InCommon-metadata-test.xml'
> > INFO  XmlSecTool - XML document parsed and is well-formed.
> > INFO  XmlSecTool - XML document is schema valid
> >
> > [6] The following command shows that production metadata and test
> > metadata are identical except for the signature:
> >
> > $ diff metadata/InCommon-metadata.xml
> > metadata/InCommon-metadata-test.xml
> > 1c1
> > < <?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor
> > xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> > xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > ID="INC20120503T190316" Name="urn:mace:incommon"
> > validUntil="2012-05-17T23:00:00Z"
> > xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
> > sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0
> > shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
> > xmldsig-core-schema.xsd"><ds:Signature
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > ---
> > > <?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor
> > > xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> > > xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > > ID="INC20120503T190252" Name="urn:mace:incommon"
> > > validUntil="2012-05-17T23:00:00Z"
> > > xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
> > > sstc-saml-schema-metadata-2.0.xsd
> > > urn:mace:shibboleth:metadata:1.0
> > > shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
> > > xmldsig-core-schema.xsd"><ds:Signature
> > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> > 5c5
> > < <ds:Reference URI="#INC20120503T190316">
> > ---
> > > <ds:Reference URI="#INC20120503T190252">
> > 11c11
> > < <ds:DigestValue>/XxuXjX0+Wa51ZBFOee3nxVL7cA=</ds:DigestValue>
> > ---
> > > <ds:DigestValue>3Qh9cVU2gnNjAoLcTguCRnLqwUI=</ds:DigestValue>
> > 15,19c15,19
> > <
> > JwoetFfLUaM+C+bXHbf74jFFGGSmWMdq/ug0+zNSPRATbxaABMR0NUsbUAKbYH0iq0nSkw9MN5+H
> > <
> > 8Spy1B+oV8Qb3/YTKGzGVgirJasR3lFgS7toL800uY0LT0nGANhI1MFt5TvE73hITk5nqW9QWESS
> > <
> > cxl4vM9OXvMwf1FBPAfa1TMdeVBjQ55R7wiHIiBTQ/xD8uIPLa57PRfpgRIIOEdtlb35FAdfTHAV
> > <
> > pp30gpSR84huJPThkYppIXy4r6dcpGQhAu6bAngPEzP0Kzel9VHHE8hzTJtnO8lHNeV5gQM0ht3c
> > < WP5OECvtiNJR26m0AH3105MIUsOkXS7T5erFgw==
> > ---
> > > KDhejZ47wGmW10HxT5poAH5Bpxkv8A0mDe8KJSbnxbYO1+MApJQ+sHnNNv1cWd06JVksxYMx/FyN
> > > HvWcpSgG9RHAT4AUJfTBwX8VGKXJp9/78Wh4gPc+d6s0cnEar6MzjjEHUnXoDyCsNHZOKIpM1Ge7
> > > x9tE20hFfQJEhdBmtkGt7UU01df+rpM2YjYi0t1UIy4GyPCug1JlQ58rcS/247awdMZPD6uJud3l
> > > fiQR/pyGDU0E5aaSp+xcsgCtUjukJLIAkCy4a9YBEY3DAvcj0vrqDR5VRcxGSvQOTwBG6PT5VQ9H
> > > nfBU/ughpWqS4a1g+WpRpsyz1lGxI67xxEahwQ==
> > 36c36
> > <
> > MIIFqTCCBJGgAwIBAgICArowDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
> > ---
> > > MIIFqTCCBJGgAwIBAgICArswDQYJKoZIhvcNAQEFBQAwVjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
> > 38c38
> > <
> > aG9yaXR5MB4XDTEwMDUxOTEyNTgyOVoXDTEyMDUxOTEyNTgyOVowJzElMCMGA1UEAxMcZmVkb3Au
> > ---
> > > aG9yaXR5MB4XDTEyMDUwMTIwNDIxNloXDTE0MDUwMjIwNDIxNlowJzElMCMGA1UEAxMcZmVkb3Au
> > 57,61c57,61
> > <
> > RtypKF+3/5z48gZktwIXEUwW/J1ROYvPTvMrtuVyzroBCGp4HfNLuMm6F8BVSrTHqVGLFGrGM8md
> > <
> > zU+FQdsM/x0W/cc0A4mHLwM4XDDVcH6nepwLZX9H1AfaxYgIGrJL+l8JDWtmEn/ktSij4y4HlA2q
> > <
> > 5kH+UyEwxFuqEUEd2EnL8agjjxiacJYeTon23pbWGe20QTPq45YM5q1G44RCYIhljSYth4FX9vBw
> > <
> > 7n4jH21HpsHTk2gDOkBwXXgiebknnAnPI2jz5mNgEAabhGkDrnGIttEEREcWlOuLdgc8uDUjHO/X
> > < Dsw27l4YFl6/OG92XPlCOYVQCqSmp0OdTViV9A==
> > ---
> > > Kwvdnua6MWUE/Id5QloGnZxBLj5k/cl+hJap0w6L3kqpV+pVh7tpW98ZSwA+HSwpXDlVr1m7kyvM
> > > 70GWQNdOw3sOPRdpVNGwb6DFOtWymZwkKJ+smCLkXXCeuT5TEFaWmkjjb5mVmRtn3/LWhZqI/xUB
> > > xndYUnptXrEpI9gwoqZ8K5YsxVhHWs6l/sH0SXpQq/o8wTwO3CBr+SrSo5rm1nTyS3sK7ezXhQJ7
> > > ryqPlBuEGc823KzwBPTLftWPegG3ab1ZuhEY/fcSVx+dz1CpYGnrsq2ugQKwBXZKMNNemyGLmGuX
> > > VXTe2CcrydNM1m1LSs7KE7COdFrZYDZGS08G/w==
> >
> >
>