InCommon metadata support

[Tom Scavo <>]

Hi Dan,

Thanks for asking these good questions. See answers below.

I'm copying the metadata-support mailing list on this message. Can you
please subscribe to the mailing list before you reply (so as to
archive the entire thread)?

Thanks,

Tom

On Thu, Jan 2, 2014 at 3:26 PM, Dan Schwartz 
<>
 wrote:
> Hi Tom -
>
> I have a simplesamlphp (SSP) SP system which isn't really production
> yet, and I was trying out the new metadata with it.
>
> 1.  Do you know when 1.12 is planned to be released?  I haven't seen
> anything about it since your note (and discussions with Jamie P on the
> SSP mailing list) around  11/19/13.

That's a good question. I'll post to the SSP mailing list to find out.

> 2.  I loaded up the new metadata from
> http://md.incommon.org/InCommon/InCommon-metadata.xml, and generated a
> SHA256 fingerprint from http://md.incommon.org/certs/inc-md-cert.pem
> for it -
> 2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B,
> but SSP 1.11 complained about it saying that I had the wrong
> fingerprint and needed the SHA1 one -
> 7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD, so I
> created an array and put both in and that worked.  Should it have
> switched to using SHA2 automatically?  Do I need to configure
> something to tell it to use SHA2?  Is the SHA2 stuff coming later?

Ah, I think you tripped up on the many uses of the SHA digest
algorithm that are in play here. Let me try to list some of them here
(since I think this will become a FAQ).

- The SSP metarefresh module requires the SHA-1 fingerprint of the
metadata signing certificate, which is listed above and on the (new)
Metadata Signing Certificate wiki page:
https://spaces.internet2.edu/x/moHFAg

- The production metadata aggregate and the fallback metadata
aggregate are signed using SHA-256 and SHA-1, respectively.
(https://spaces.internet2.edu/x/SoG8Ag) You can see this by inspecting
the signed XML metadata. The production metadata aggregate contains
this element:

<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

while the fallback metadata aggregate contains this element:

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Note that the XML signature on the metadata has nothing to do with the
fingerprint of the metadata signing certificate.

- You can remove the SHA-256 fingerprint from your SSP config since
AFAIK SSP only recognizes a SHA-1 fingerprint. See the (new)
SimpleSAMLphp Metadata Config wiki page for a working config example:
https://spaces.internet2.edu/x/eYHFAg

> The way I read the description, it seemed like the production metadata
> that I'm downloading should already be using the SHA-2 code.

See above. The production metadata aggregate *is* signed using SHA-256
and your SSP software is apparently verifying the XML signature just
fine.

> The
> webpage - 
> https://spaces.internet2.edu/display/InCCollaborate/Phase+1+Implementation+Plan
> could use a little re-wording now that it's after 1/1/2014..

Yes, I'll work on that, thanks.

> --
> Dan Schwartz | LTS - Systems and Networking  | Lehigh University |
> 
>  | (610) 758-5061