Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
  • Date: Thu, 19 Dec 2013 14:17:43 -0500
On Thu, Dec 19, 2013 at 1:25 PM, Brian Gibson
<>
wrote:
> Everything went according to plan as mentioned in my original email.

As a slight improvement, I recommend a 14 day maxValidityInterval
(instead of 28):

maxValidityInterval="P14D"

We decreased the value of the validUntil XML attribute on InCommon
metadata from 28 to 14 some time ago (but I forgot to modify the wiki
page). I just now updated the wiki:

https://spaces.internet2.edu/x/XAQjAQ

There is some security benefit to having a tight validUntil. The
smaller the value, the less opportunity for an attacker to replay an
old metadata file.

FYI, I believe the optimal value of validUntil is around four (4)
days. We will have to automate portions of our metadata production
process before reducing validUntil further, however.

Tom

Archive powered by MHonArc 2.6.16.

Top of Page