Metadata Distribution Subcommittee of TAC

["Joe St Sauver" <>]

John mentioned:

#We'll meet for a final stamp of approval on our Phase 2 Recommendations today
#at Noon ET, our final consensus prior to sending to the TAC, and our final
#meeting of md-distro. 
#
#Phase 2 Recommendations:
# https://spaces.internet2.edu/x/F4G8Ag

Two questions on the Terminology section items:

-- Currently as part of the definition of signing key, you explicitly 
specify that this is an RSA-2048 bit key. Do you want to clarify that
that's what's *currently* used/recommended, but note that some other sort
of algo (or longer key length) might be used at some point in the future.

FWIW, RSA-2048 gives you security equivalent to a 112 bit symmetric key,
which frankly isn't all that much, and the required RSA key length for
higher levels of security rapidly get large (see Table 1 of 
http://www.nsa.gov/business/programs/elliptic_curve.shtml ). My
prediction, therefore, is that at some point in the future, you're
going to want to think about doing elliptic curve crypto rather than
just staying with RSA)

-- The signing certifcate is defined as: "an X.509v3 certificate 
containing a public key used to verify the signature on a metadata file; 
a container for an RSA 2048-bit public key"

Might it be better to describe the cert as "an X.509v3 (RFC3280) digital
certificate tying an identity to a public/private keypair"?

And as for the public key "container," in InCommon usage, wouldn't that 
actually normally be a PEM-format file, e.g., 
http://md.incommon.org/certs/inc-md-cert.pem ?

(btw, if you try to go to https://md.incommon.org/certs/inc-md-cert.pem
you get a cert error, because that host uses a cert that's only valid 
for wayf.incommonfederation.org, see also
https://www.ssllabs.com/ssltest/analyze.html?d=md.incommon.org&hideResults=on&ignoreMismatch=on
  
)

Regards,

Joe