Per-Entity Metadata Working Group

[Thomas Lenggenhager <>]

If I remember correctly from what I once learned in a cryptography 
class: The more signed material you produce with a key the easier it 
gets to attack it.

MDQ with single entity signing would heavily increase the number of 
signed documents publicly accessible. Do we therefore need to shorten 
the usage period of the metadata signing key?

Who knows more about this topic?
Is that something we need to consider before deploying?

Thomas

NB: SWITCHaai metadata signing would not be affected much since we use a 
dedicated PKI for it. We replace the signing key at least every three 
years. The trust root configured in most entities is the twenty years 
valid root CA certificate of the dedicated PKI, stored in a safe. 
Entities other than Shibboleth that usually do not support PKI for 
metadata verification need to configure the intermediate CA certificate 
as trust root and replace it every five years when we replace that one:
  https://www.switch.ch/pki/aai/

--
SWITCH
------
Thomas Lenggenhager, Central Solutions
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 1505  direct +41 44 268 1541
https://www.switch.ch