metadata-support - RE: [Metadata-Support] significant slowdown in XML Signature validation

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] significant slowdown in XML Signature validation

From: "Cantor, Scott" <>
To: "" <>
Subject: RE: [Metadata-Support] significant slowdown in XML Signature validation
Date: Thu, 18 Feb 2016 16:24:54 +0000
Accept-language: en-US
Authentication-results: spf=pass (sender IP is 164.107.81.216) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=osu.edu;
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:23

> I wrote some scripts to take the InCommon metadata file, split it into two
> files - one containing just SPs, the other containing IDPs, and then signed
> them both with my own certificate (with the same sha256 signatures).
> Loading just the IDP metadata file (which is about 13MB) and starting shibd
> takes about 20 seconds, compared to over a minute for loading the whole
> InCommon file. Furthermore, the resident size of the shibd process drops
> from 256MB with the full InCommon file, down to about 120MB with just the
> IDP metadata loaded.

You can easily drop roles you don't want anyway, so I doubt that's a material
difference, though obviously the verification time is.

Also, none of the delay applies to reloads, as that's in the background.

> Is there any particular reason why InCommon puts all of the SPs and IDPs
> together into one big metadata file? As I understand it, the Service
> Provider
> only needs to load the metadata for IDPs, and vice-versa, so there's a lot
> of
> bloat in the file that doesn't really need to be there for normal
> operations.

That's obviously up to InC Ops. I would imagine the answer is that it never
mattered much before and now it might help, but only in a relatively small
way since one doesn't restart shibd very often.

-- Scott

[Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
- [Metadata-Support] RE: significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
  - Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
    - RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/16/2016
      - Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/16/2016
        
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Ian Young, 02/16/2016
        
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/16/2016
        
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/18/2016
        
        RE: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/18/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/18/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Cantor, Scott, 02/19/2016
        
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/19/2016
        
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Tom Scavo, 02/19/2016
        Re: [Metadata-Support] significant slowdown in XML Signature validation, Jeffrey Eaton, 02/22/2016

List archive

RE: [Metadata-Support] significant slowdown in XML Signature validation