inc-ops-notifications - [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
Subject: InCommon Operations Notifications
List archive
- From: Tom Scavo <>
- To:
- Subject: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
- Date: Wed, 12 Mar 2014 16:12:45 -0400
You are receiving this message because you are a site administrator or
a delegated administrator for the InCommon Federation. The following
ACTION IS REQUIRED: Migrate to one of the new metadata aggregates ASAP
but no later than March 29, 2014.
On March 29, 2014, the legacy metadata aggregate at location
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
will be replaced with a redirect to the following new location:
http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
The above fallback aggregate was introduced on December 18, 2013. At
that time, a new production metadata aggregate signed using the
SHA-256 digest algorithm was also introduced at the following
location:
http://md.incommon.org/InCommon/InCommon-metadata.xml
ACTION: Migrate to one of the new metadata aggregates ASAP but no
later than March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg
The new metadata aggregates are signed with the same trusted signing
key that we've always used but the corresponding signing certificate
has been renewed. Before you migrate to one of the new metadata
aggregates, bootstrap your secure metadata refresh process by
obtaining an authentic copy of the new metadata signing certificate.
See: https://spaces.internet2.edu/x/moHFAg
WARNING: If you are using the simpleSAMLphp software, you MUST migrate
to one of the new metadata aggregates by March 29, 2014, otherwise
your metadata refresh process will break! This is because
simpleSAMLphp relies on the fingerprint of the metadata signing
certificate, rather than the public key in the signing certificate.
Shibboleth deployments do not have the previous problem, but they have
a different problem, that is, some Shibboleth SP deployments are not
able to verify an XML signature that uses the SHA-256 digest
algorithm. In that case, you should migrate to the fallback aggregate,
which will continue to use the SHA-1 digest algorithm until June 30,
2014.
For more information: https://spaces.internet2.edu/x/YYDPAg
Questions? Join this mailing list:
https://lists.incommon.org/sympa/info/metadata-support
- [InCommon NOTICE] metadata migration process [ACTION REQUIRED], Tom Scavo, 03/12/2014
- [InCommon NOTICE] Re: metadata migration process [ACTION REQUIRED], Tom Scavo, 03/24/2014
Archive powered by MHonArc 2.6.16.