inc-ops-notifications - [InCommon NOTICE] Re: metadata migration process [ACTION REQUIRED]
Subject: InCommon Operations Notifications
List archive
- From: Tom Scavo <>
- To:
- Subject: [InCommon NOTICE] Re: metadata migration process [ACTION REQUIRED]
- Date: Mon, 24 Mar 2014 09:37:23 -0400
This followup message is FYI.
Since March 29th is on a Saturday, we've decided to install the
redirect on the following Monday, March 31 @ noon EDT. We don't expect
any breakage to occur but this is an added precaution nonetheless.
Btw, if you didn't see this blog post, please take a look:
https://spaces.internet2.edu/x/HYLPAg
PS. This message is being sent to InCommon site administrators only.
Please pass this information downstream to your delegated
administrators as necessary.
On Wed, Mar 12, 2014 at 4:12 PM, Tom Scavo
<>
wrote:
> You are receiving this message because you are a site administrator or
> a delegated administrator for the InCommon Federation. The following
> ACTION IS REQUIRED: Migrate to one of the new metadata aggregates ASAP
> but no later than March 29, 2014.
>
> On March 29, 2014, the legacy metadata aggregate at location
>
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
>
> will be replaced with a redirect to the following new location:
>
> http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
>
> The above fallback aggregate was introduced on December 18, 2013. At
> that time, a new production metadata aggregate signed using the
> SHA-256 digest algorithm was also introduced at the following
> location:
>
> http://md.incommon.org/InCommon/InCommon-metadata.xml
>
> ACTION: Migrate to one of the new metadata aggregates ASAP but no
> later than March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg
>
> The new metadata aggregates are signed with the same trusted signing
> key that we've always used but the corresponding signing certificate
> has been renewed. Before you migrate to one of the new metadata
> aggregates, bootstrap your secure metadata refresh process by
> obtaining an authentic copy of the new metadata signing certificate.
> See: https://spaces.internet2.edu/x/moHFAg
>
> WARNING: If you are using the simpleSAMLphp software, you MUST migrate
> to one of the new metadata aggregates by March 29, 2014, otherwise
> your metadata refresh process will break! This is because
> simpleSAMLphp relies on the fingerprint of the metadata signing
> certificate, rather than the public key in the signing certificate.
>
> Shibboleth deployments do not have the previous problem, but they have
> a different problem, that is, some Shibboleth SP deployments are not
> able to verify an XML signature that uses the SHA-256 digest
> algorithm. In that case, you should migrate to the fallback aggregate,
> which will continue to use the SHA-1 digest algorithm until June 30,
> 2014.
>
> For more information: https://spaces.internet2.edu/x/YYDPAg
>
> Questions? Join this mailing list:
> https://lists.incommon.org/sympa/info/metadata-support
- [InCommon NOTICE] metadata migration process [ACTION REQUIRED], Tom Scavo, 03/12/2014
- [InCommon NOTICE] Re: metadata migration process [ACTION REQUIRED], Tom Scavo, 03/24/2014
Archive powered by MHonArc 2.6.16.