Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] metadata migration process [ACTION REQUIRED]

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] metadata migration process [ACTION REQUIRED]


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
  • Date: Wed, 12 Mar 2014 16:12:45 -0400

You are receiving this message because you are a site administrator or
a delegated administrator for the InCommon Federation. The following
ACTION IS REQUIRED: Migrate to one of the new metadata aggregates ASAP
but no later than March 29, 2014.

On March 29, 2014, the legacy metadata aggregate at location

http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

will be replaced with a redirect to the following new location:

http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml

The above fallback aggregate was introduced on December 18, 2013. At
that time, a new production metadata aggregate signed using the
SHA-256 digest algorithm was also introduced at the following
location:

http://md.incommon.org/InCommon/InCommon-metadata.xml

ACTION: Migrate to one of the new metadata aggregates ASAP but no
later than March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg

The new metadata aggregates are signed with the same trusted signing
key that we've always used but the corresponding signing certificate
has been renewed. Before you migrate to one of the new metadata
aggregates, bootstrap your secure metadata refresh process by
obtaining an authentic copy of the new metadata signing certificate.
See: https://spaces.internet2.edu/x/moHFAg

WARNING: If you are using the simpleSAMLphp software, you MUST migrate
to one of the new metadata aggregates by March 29, 2014, otherwise
your metadata refresh process will break! This is because
simpleSAMLphp relies on the fingerprint of the metadata signing
certificate, rather than the public key in the signing certificate.

Shibboleth deployments do not have the previous problem, but they have
a different problem, that is, some Shibboleth SP deployments are not
able to verify an XML signature that uses the SHA-256 digest
algorithm. In that case, you should migrate to the fallback aggregate,
which will continue to use the SHA-1 digest algorithm until June 30,
2014.

For more information: https://spaces.internet2.edu/x/YYDPAg

Questions? Join this mailing list:
https://lists.incommon.org/sympa/info/metadata-support



Archive powered by MHonArc 2.6.16.

Top of Page