Skip to Content.
Sympa Menu

md-distro - [md-distro] proposal to deploy two new metadata aggregates

Subject: Metadata Distribution Subcommittee of TAC

List archive

[md-distro] proposal to deploy two new metadata aggregates


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: [md-distro] proposal to deploy two new metadata aggregates
  • Date: Fri, 25 Oct 2013 16:27:52 -0400
Ops met this afternoon to discuss the UKf approach to metadata
distribution eloquently described by Ian on yesterday's call. The idea
of a "fallback aggregate" makes a lot of sense to us, so unless
someone in this group disagrees, we will be adopting the UKf approach.
(Ian's probably thinking: "Sheesh, it's about time!" but what can I
say :)

Let me try to be a bit more concrete...

We will deploy two new metadata aggregates ASAP:

http://md.incommon.org/InCommon/InCommon-metadata.xml
http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml

Both of them will make use of the new self-signed signing certificate
that we've been talking about. The first one will be signed with a
SHA-2 digest algorithm while the second one will be signed with a
SHA-1 digest algorithm (like we do now).

Note the new vhost md.incommon.org. Once the new aggregates are
deployed, the old vhost (wayf.incommonfederation.org) will be phased
out TBD.

Clearly we need to deploy these new metadata aggregates ASAP but I
don't have a date yet. The best I can do is promise a deployment date
will be announced during Identity Week. So, during my CAMP
presentation, I will be announcing a firm deployment date for these
two new aggregates.

Prior to this to-be-announced deployment date, we will do internal
testing with TAC and others. (For instance, Dick Visser, TERENA, has
volunteered to test his InC SSP deployment.) We will be looking for
volunteers in the coming weeks.

Our messaging to inc-ops-notifications will be clear:

- These are *permanent* HTTP locations.
- Move to the production aggregate ASAP if your deployment is
compatible with SHA-2 today.
- If your deployment is NOT compatible with SHA-2, plan to migrate to
SHA-2 or plan to migrate to the fallback aggregate, whichever is
appropriate. In any case, the fallback aggregate will be sync'd with
the production aggregate on a timeline TBD.
- The old HTTP location (based on legacy vhost
wayf.incommonfederation.org) will be phased out TBD.

By the time we send our first message to inc-ops-notifications, a
timeline for syncing the fallback aggregate with the production
aggregate will be known. Likewise a timeline for phasing out the old
location will be known.

If you have ideas or suggestions for a reasonable timeline, please
post it here for discussion. We're all ears :-)

Thanks,

Tom

  • [md-distro] proposal to deploy two new metadata aggregates, Tom Scavo, 10/25/2013

Archive powered by MHonArc 2.6.16.

Top of Page