Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] RE: significant slowdown in XML Signature validation

Subject: InCommon metadata support

List archive

[Metadata-Support] RE: significant slowdown in XML Signature validation

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: [Metadata-Support] RE: significant slowdown in XML Signature validation
  • Date: Tue, 16 Feb 2016 20:05:00 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=bestguesspass action=none;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

> With the new eduGAIN containing metadata, we’re seeing a significant
> slowdown in the time it takes shibd to start up, and this appears to be in
> the
> signature validation step.

My impression hasn't been that it's validation time, I've been ascribing it
to transit time or more likely just the raw DOM parsing time. I don't think
you can assume it's the signature unless you actually measured that under a

> Of course, the slowdown means that the init.d scripts (on RedHat) now
> complain about failure unless you significantly boost the SHIBD_WAIT setting
> from its default of 30 seconds.

Yes, many people have had to do that in other deployments for a long time. On
newer systems, systemd more or less eliminates the need to set anything.

> Is there anything that anyone is aware of which can be done to improve the
> shibd loading time? Is this just going to be a fact of life for the future?

The obvious solution is per-entity metadata queries. Neither the parsing nor
the signature step is going to get better, not appreciably.

-- Scott

Archive powered by MHonArc 2.6.16.

Top of Page