Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] Upgrade to 2048-bit keys in metadata

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] Upgrade to 2048-bit keys in metadata


Chronological Thread 
  • From: Tom Scavo <>
  • To: InCommon Operations Notifications <>
  • Subject: [InCommon NOTICE] Upgrade to 2048-bit keys in metadata
  • Date: Tue, 05 Jun 2012 07:52:12 -0400 (EDT)


You are receiving this message because you are an InCommon Site Administrator
responsible for maintaining metadata for your organization or because you
have added yourself to the inc-ops-notifications mailing list. Please read
the following message to determine IF PROMPT ACTION IS REQUIRED on your part.

In January 2010, InCommon announced that all certificates in metadata must
have at least 2048-bit keys by the end of December 2012. While all new
certificates are required to have at least 2048-bit keys, there are
approximately 125 existing certificates with keys less than 2048 bits [1]
that must be replaced ASAP but no later than December 2012.

We have compiled a complete list of certificates in metadata [2] so you can
determine whether you have certificates that need to be replaced. This file
is updated daily. If your organization has any certificates in metadata with
1024-bit keys, we ask that you migrate these weak certificates to new
certificates containing 2048-bit keys as soon as possible. Be aware that
certificate migration may take weeks depending on how often your federation
partners refresh metadata. FYI, a new document on certificate migration [3]
describes how to systematically replace an old certificate with a new
certificate in metadata without affecting interoperability.

In the InCommon Federation, the use of long-lived, self-signed X.509
certificates in metadata [4] is strongly recommended. A self-signed
certificate containing a 2048-bit key is easily created with the OpenSSL
command-line tool. [5] Before doing so, develop a strategy for securing the
private key, since the security of your deployment (and that of your
partners) depends on the security of the private key used to sign and/or
decrypt messages.

[1] https://wayf.incommonfederation.org/reports/certs/cert-report.txt
[2] https://wayf.incommonfederation.org/reports/certs/cert-raw-data.txt
[3] https://spaces.internet2.edu/display/InCCollaborate/Certificate+Migration
[4]
https://spaces.internet2.edu/display/InCCollaborate/X.509+Certificates+in+Metadata
[5] https://spaces.internet2.edu/display/InCCollaborate/Key+Handling


  • [InCommon NOTICE] Upgrade to 2048-bit keys in metadata, Tom Scavo, 06/05/2012

Archive powered by MHonArc 2.6.16.

Top of Page