Per-Entity Metadata Working Group

[Tom Scavo <>]

On Wed, Jul 27, 2016 at 2:00 PM, Cantor, Scott 
<>
 wrote:
> On 7/27/16, 1:41 PM, 
> "
>  on behalf of Tom Scavo" 
> <
>  on behalf of 
> >
>  wrote:
>
>> Well, no, let's be clear: the system we have now can tolerate very
>> long outages, on the order of hours or days (not minutes). Our
>> (current) infrastructure is based on that fact.
>
> I don't think it's really been put to the test. Have we had outages of a 
> length that would validate that assumption?

We don't sign metadata on weekends and holidays. The exception is the
so-called Christmas break. In the last few years, we started signing
metadata smack in the middle of Christmas vacation, but we didn't use
to do that. (Btw, historically that's one reason why the validity
interval on the metadata file is two weeks.)

We didn't used to sign metadata during Internet2 Member Meetings.
That, too, changed a few years ago.

We have two identical, geographically dispersed metadata servers with
manual failover. In the six years I've been here, that has worked
flawlessly. Yes, anything manual is a risk but I deem that risk to be
acceptable in this case. Of course anyone is entitled to disagree with
that conclusion (but per-entity metadata will make such arguments
moot).

Here's a concrete example: Prior to full eduGAIN integration, we
exported some SP metadata to eduGAIN as a pilot (or proof of concept).
We created an aggregate of global IdP metadata on the
mdq-beta.incommon.org server. The SPs in the pilot reconfigured their
SP software to consume the aggregate on the MDQ beta server.

Last summer, the MDQ beta server stopped refreshing metadata. We
didn't realize what had happened until two weeks later when local
metadata expired. ScottK can comment on that incident since he was
involved in the pilot.

So, yeah, an MDQ server is a completely different ballgame.

Tom