inc-ops-notifications - [InCommon NOTICE] modifications to the InCommon metadata signing process [FYI only]
Subject: InCommon Operations Notifications
List archive
[InCommon NOTICE] modifications to the InCommon metadata signing process [FYI only]
Chronological Thread
- From: Thomas Scavo <>
- To: "" <>
- Cc: InCommon Administration <>
- Subject: [InCommon NOTICE] modifications to the InCommon metadata signing process [FYI only]
- Date: Fri, 8 Apr 2016 12:57:59 +0000
- Accept-language: en-US
- Authentication-results: incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=none action=none header.from=internet2.edu;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
This message is intended to bring you up to date on a new strategy currently
being implemented by InCommon Operations that will make the metadata signing
process more robust and dependable. Recall that, on Monday, March 21, the
InCommon metadata signing process was unable to verify the XML signature on
eduGAIN metadata. That signature was in fact faulty due to a bug in the
metadata aggregation software used by eduGAIN operations.
Briefly, the new strategy falls back (if necessary) on a cached copy of the
eduGAIN metadata aggregate. If the import of eduGAIN metadata fails for any
reason, the cached metadata permits the metadata signing process to run to
completion. Once that critical process has completed, a manual intervention
process can be initiated if needed. This ensures that daily metadata updates
approved by the InCommon RA will be published in a secure and timely manner
independent of eduGAIN metadata.
If you have any questions or concerns, please contact us at
Tom Scavo
For InCommon Operations
On Thu, Mar 24, 2016 at 9:46 AM, Thomas Scavo
<>
wrote:
> We have incomplete evidence at this time, so what I'm about to say is a
> working hypothesis only.
>
> Earlier this week, an eduGAIN participant organization (CAF) introduced bad
> characters into entity metadata, which exercised a latent bug in the
> metadata aggregation tool (pyFF) that eduGAIN operations uses to verify and
> sign metadata. Consequently, on Monday, March 21, eduGAIN published an
> aggregate with a faulty signature that the InCommon metadata signing
> process did not properly handle.
>
> eduGAIN operations has already taken steps to prevent the publication of an
> aggregate with a bad signature. InCommon operations is still considering
> its options. I will provide another update when I have more details.
- [InCommon NOTICE] modifications to the InCommon metadata signing process [FYI only], Thomas Scavo, 04/08/2016
Archive powered by MHonArc 2.6.16.