InCommon metadata support

["Doan, Tommy" <>]

Thanks for that tip!

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Thursday, December 19, 2013 1:18 PM
To: 

Subject: Re: [Metadata-Support] setting up new signing certificate and new 
metadata aggregates in Shibboleth IdP version

On Thu, Dec 19, 2013 at 1:25 PM, Brian Gibson 
<>
 wrote:
> Everything went according to plan as mentioned in my original email.

As a slight improvement, I recommend a 14 day maxValidityInterval (instead of 
28):

maxValidityInterval="P14D"

We decreased the value of the validUntil XML attribute on InCommon metadata 
from 28 to 14 some time ago (but I forgot to modify the wiki page). I just 
now updated the wiki:

https://spaces.internet2.edu/x/XAQjAQ

There is some security benefit to having a tight validUntil. The smaller the 
value, the less opportunity for an attacker to replay an old metadata file.

FYI, I believe the optimal value of validUntil is around four (4) days. We 
will have to automate portions of our metadata production process before 
reducing validUntil further, however.

Tom