inc-ops-notifications - [InCommon NOTICE] IMPORTANT: InCommon to update metadata signing procedures in response to COVID-19
Subject: InCommon Operations Notifications
List archive
[InCommon NOTICE] IMPORTANT: InCommon to update metadata signing procedures in response to COVID-19
Chronological Thread
- From: "Nicholas Roy" <>
- To: ,
- Subject: [InCommon NOTICE] IMPORTANT: InCommon to update metadata signing procedures in response to COVID-19
- Date: Wed, 01 Apr 2020 10:00:25 -0600
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=InCCSDZGcXgNoW3GAPqdySmwqI4BN49kZzycFQOFMWc=; b=YX7ox6gBZ/Z9FYoOw+2ITwlyhvjq/MoJazl3/iUcn0GlWie0NEueDfDd8JpNaWJc0BU6AwzLGXkXxF3BMQNQkApEE1nmENIrLpxsjf+hKtDuj/6z5p6NzKDyUw86dMblu2ont0OYRQRpxE0uBuE6tCf+etHoHpOOYUZ6v6Ntwee6E52Xxxe0lJGcfyp3KrOqaQa31QJWiUpi2bKURq5x+oXQ7K8iX1Fdvob+C1vSDENTQaXKgmr5TPdLwP2Y5DTugGo6bw51xAWMzj71u2/n6Vtz0vfpy4vm+UHjO7eIr8H0wtT5WGtzt43eqMCfTzQIgmTdMVAtCBeVht+ObfflxQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ccbRJqzQ2GzIsqZefLEYVTr6A/xRsXGMEz3xquAuXpQZ/ED8YGDkzZ57ZjyJ9oZ9lA5k2yC/dEFTgUS1ZCdh+dEX2Uxbvn3cSHEnPRwmXiR6irhJO9XD9atneZOcwsdNPBZ85ISnpOi4zyPhmqVMdR9oAgdw9PR8ZYCeLKun32mB33hhEXmpVyTXojpXW2D0WsaRthhpWz6noLjjD0gYuddumI//85cs5W6nrKpnPsyqTqOfU+YS/8DuY4cZtLIHRTE5eIaU4JWiEGj9c4dSlth0Uo7pyIunbhZYyZRKjhF8Lecv4NEz5KI+33zQvrw0sdPJQDaV0iyi4gxyRMr6kg==
Dear InCommon participants and site admins:
Please note that this message does not require action on your part; it relates to the internal method we use for signing metadata.
As with many of you, InCommon has had to adjust its operations to ensure continuity of critical infrastructure as a result of the COVID-19 pandemic. We have accelerated the timing for a planned change in the way we sign metadata. Currently, two people need to physically be in our Ann Arbor office each day to sign metadata. We have developed a signing process that can be accomplished without anyone needing to be physically present in Ann Arbor, but that maintains the high level of security needed for the signing.
Starting Wednesday, April 8, the metadata signing will move to an automated process. In short, we will retrieve the unsigned metadata from the Federation Manager in a secure location in our infrastructure. Signing will be performed by a slightly modified version of the current tested/documented tooling that signs metadata. The new process will use a tamper-proof Hardware Security Module (“HSM”) to sign without a human being needing to be physically present. The newly signed aggregate will then be deployed to our existing metadata distribution servers.
This metadata will be signed by the existing “legacy” metadata signing key, so no change is needed by you to make use of this new system. From the outside, everything will be the same. This change does not affect our new MDQ metadata distribution service, but is constructed using some of the same components.
We have provided additional information on this wiki page: https://spaces.at.internet2.edu/x/lAHvCQ. If you have any questions or concerns, please email
Best Regards,
Nicholas Roy
Director of Technology and Strategy, InCommon
on behalf of InCommon Operations
Attachment:
signature.asc
Description: OpenPGP digital signature
- [InCommon NOTICE] IMPORTANT: InCommon to update metadata signing procedures in response to COVID-19, Nicholas Roy, 04/01/2020
Archive powered by MHonArc 2.6.19.