Skip to Content.
Sympa Menu

per-entity - Re: [Per-Entity] remaining BIG questions

Subject: Per-Entity Metadata Working Group

List archive

Re: [Per-Entity] remaining BIG questions


Chronological Thread 
  • From: Tom Scavo <>
  • To: "Cantor, Scott" <>
  • Cc: Tom Scavo <>, Nick Roy <>, Per-Entity Metadata Working Group <>
  • Subject: Re: [Per-Entity] remaining BIG questions
  • Date: Wed, 14 Sep 2016 15:05:52 -0400
  • Ironport-phdr: 9a23:am+b3hSwMBEi+YW/K568hYUUPdpsv+yvbD5Q0YIujvd0So/mwa67bRKN2/xhgRfzUJnB7Loc0qyN7PCmBDdLuMvJmUtBWaIPfidNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3XfDB4LeXtG4PUk9//l6Xro8WSME10g2/3Srp0MBKs6U3qvc4KncEqfq04zAfOuD0SU+NN2CVlKU/FzDjm4cLlwJlmux9bsuwmv5pcS77xdro/Zb1eEDk8NW0pvovmuQSVHljH3WcVTmhDykkAOAPC9hyvG86p6iY=
On Wed, Sep 14, 2016 at 2:38 PM, Cantor, Scott
<>
wrote:
> On 9/14/16, 2:33 PM,
> "
> on behalf of Tom Scavo"
> <
> on behalf of
> >
> wrote:
>
>> Well, I can answer the latter question definitively...per-entity
>> metadata will produced once per business day, in conjunction with our
>> current metadata signing process. When we push newly signed aggregates
>> to md.incommon.org (around 3:30 pm ET), we will also push newly signed
>> entities to mdq.incommon.org at more-or-less the same time.
>
> I think the more relevant question is whether we have a policy of emergency
> signing in the face of a key compromise.

I assume you mean the compromise of a key in entity metadata. First,
let me say we have never been contacted about a compromised key. OTOH,
we have been contacted many times for interoperability issues. In
either case, we may or may not be able to respond to the request
depending on the time of day and the day of the week. A metadata
signing event requires two individuals, one from a group of 3--4 and
one from a group of 4--5. Such an event is much more likely to occur
during business hours. If we are contacted on the weekend (and this
has happened before), it is very unlikely we would be able to sign.

This is what I was trying to say on the call: We need to implement
on-demand metadata signing, which is the ability for authorized
personnel to initiate a metadata signing operation from anywhere at
any time. We have a plan for that but no time frame.

> If so, the refresh policy would be driven by that more than the routine
> case.

See above.

> I know I refresh every 4 hours now, but that's mostly historical and
> because the HTTP conditional GETs make it free for me to do so.

Exactly.

> Anyway, you get my point: you want cacheDuration to drive the consumers to
> check at the interval you want to be able to get a revocation change made.

Today we deal with that in documentation: "It is strongly recommended
that InCommon SPs and IdPs refresh and verify metadata at least daily.
An optimal configuration would attempt to refresh metadata every hour
(assuming your client supports HTTP Conditional GET)."

See the Metadata Consumption wiki page: https://spaces.internet2.edu/x/JwQjAQ

Tom

Archive powered by MHonArc 2.6.19.

Top of Page