Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] significant slowdown in XML Signature validation

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] significant slowdown in XML Signature validation

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] significant slowdown in XML Signature validation
  • Date: Thu, 18 Feb 2016 16:24:54 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=bestguesspass action=none;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

> I wrote some scripts to take the InCommon metadata file, split it into two
> files - one containing just SPs, the other containing IDPs, and then signed
> them both with my own certificate (with the same sha256 signatures).
> Loading just the IDP metadata file (which is about 13MB) and starting shibd
> takes about 20 seconds, compared to over a minute for loading the whole
> InCommon file. Furthermore, the resident size of the shibd process drops
> from 256MB with the full InCommon file, down to about 120MB with just the
> IDP metadata loaded.

You can easily drop roles you don't want anyway, so I doubt that's a material
difference, though obviously the verification time is.

Also, none of the delay applies to reloads, as that's in the background.

> Is there any particular reason why InCommon puts all of the SPs and IDPs
> together into one big metadata file? As I understand it, the Service
> Provider
> only needs to load the metadata for IDPs, and vice-versa, so there's a lot
> of
> bloat in the file that doesn't really need to be there for normal
> operations.

That's obviously up to InC Ops. I would imagine the answer is that it never
mattered much before and now it might help, but only in a relatively small
way since one doesn't restart shibd very often.

-- Scott

Archive powered by MHonArc 2.6.16.

Top of Page