InCommon metadata support

[Tom Scavo <>]

[Roberto, please subscribe to the mailing list for followups]

On Wed, Mar 19, 2014 at 9:45 AM, Ullfig, Roberto 
<>
 wrote:
> So the old metadata location and certificate will cease to function on 
> March 29?

I'm not sure what you mean. The announcement outlines what is
happening and what needs to be done. In particular, a redirect will be
installed on March 29.

> Is the certificate expiring?

Yes, the old metadata signing certificate expires on May 2, 2014. The
certificate of the CA that signed the old metadata signing certificate
expires on March 29, 2014.

For more information, see: https://spaces.internet2.edu/x/5IOZAg

> Why would the legacy location not continue to be supported if the cert is 
> not expiring?

The old metadata signing certificate *is* expiring but that's not the
only reason for this migration. See the complete list of drivers on
the above wiki page.

Hope this helps,

Tom

> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Scavo
> Sent: Wednesday, March 12, 2014 3:13 PM
> To: 
> 
> Subject: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
>
> You are receiving this message because you are a site administrator or a 
> delegated administrator for the InCommon Federation. The following ACTION 
> IS REQUIRED: Migrate to one of the new metadata aggregates ASAP but no 
> later than March 29, 2014.
>
> On March 29, 2014, the legacy metadata aggregate at location
>
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
>
> will be replaced with a redirect to the following new location:
>
> http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
>
> The above fallback aggregate was introduced on December 18, 2013. At that 
> time, a new production metadata aggregate signed using the
> SHA-256 digest algorithm was also introduced at the following
> location:
>
> http://md.incommon.org/InCommon/InCommon-metadata.xml
>
> ACTION: Migrate to one of the new metadata aggregates ASAP but no later 
> than March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg
>
> The new metadata aggregates are signed with the same trusted signing key 
> that we've always used but the corresponding signing certificate has been 
> renewed. Before you migrate to one of the new metadata aggregates, 
> bootstrap your secure metadata refresh process by obtaining an authentic 
> copy of the new metadata signing certificate.
> See: https://spaces.internet2.edu/x/moHFAg
>
> WARNING: If you are using the simpleSAMLphp software, you MUST migrate to 
> one of the new metadata aggregates by March 29, 2014, otherwise your 
> metadata refresh process will break! This is because simpleSAMLphp relies 
> on the fingerprint of the metadata signing certificate, rather than the 
> public key in the signing certificate.
>
> Shibboleth deployments do not have the previous problem, but they have a 
> different problem, that is, some Shibboleth SP deployments are not able to 
> verify an XML signature that uses the SHA-256 digest algorithm. In that 
> case, you should migrate to the fallback aggregate, which will continue to 
> use the SHA-1 digest algorithm until June 30, 2014.
>
> For more information: https://spaces.internet2.edu/x/YYDPAg
>
> Questions? Join this mailing list:
> https://lists.incommon.org/sympa/info/metadata-support