Per-Entity Metadata Working Group

[Rhys Smith <>]

Linked to on the front page of http://mdq.ukfederation.org.uk.

Highlights - sha256 sig alg 4096 bit RSA, expires end 2037.

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.

> On 24 Nov 2016, at 18:23, Tom Scavo 
> <>
>  wrote:
> 
> Thanks Rhys. Can you give a pointer to the new signing certificate?
> I'm curious to know the size of the key (among other things).
> 
> Tom
> 
> On Thu, Nov 24, 2016 at 12:15 PM, Rhys Smith 
> <>
>  wrote:
>> FYI, for those interested.
>> 
>> Finally found the time to switch the signing key used for the UKf MDQ to a 
>> new one.
>> 
>> So the UKf aggregates are at http://metadata.ukfederation.org.uk/foo and 
>> signed by our old key, imported into and held on the HSM; MDQ is at 
>> http://mdq.ukfederation.org.uk/foo and signed by our new key, generated 
>> on, and held on, the HSM.
>> 
>> So the UKf’s MDQ service is now essentially production ready and live, and 
>> we’ll start to get customers to start using it in anger soon.
>> 
>> Still interested in ways we can work together to share things and make 
>> things more resilient, though, as I suspect you all know :-).
>> 
>> Rhys.
>> 
>> 
>>> On 28 Oct 2016, at 15:08, Nicholas Roy 
>>> <>
>>>  wrote:
>>> 
>>> Thanks Rhys, makes sense.
>>> 
>>> Nick
>>> 
>>> On 10/28/16 6:12 AM, Rhys Smith wrote:
>>>> This is a temporary work around until Azure adds native v6 support. When 
>>>> it does, we can get rid of it.
>>>> 
>>>> The v6 proxies are a redundant pair of VMs, so yes, they are introducing 
>>>> an extra point of failure, but it’s been designed so it’s a fairly low 
>>>> risk of failing. The two VMs are geographically resilient, and all they 
>>>> are is apache servers proxying requests to the v4 servers, so there’s 
>>>> not much to go wrong at the application level.
>>>> 
>>>> For us, not supporting v6 was not an option - we’ve had v6 support on 
>>>> our MD dist servers for many years now, and didn’t want to make 
>>>> refreshing the infrastructure introduce retrograde steps.
>>>> 
>>>> Rhys.
>>>> --
>>>> Dr Rhys Smith
>>>> Chief Technical Architect, Trust & Identity
>>>> Jisc
>>>> 
>>>> T: +44 (0) 1235 822145
>>>> M: +44 (0) 7968 087821
>>>> Skype: rhys-smith
>>>> GPG: 0x4638C985
>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>> 
>>>> jisc.ac.uk
>>>> 
>>>> Jisc is a registered charity (number 1149740) and a company limited by 
>>>> guarantee which is registered in England under Company No. 5747339, VAT 
>>>> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower 
>>>> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>> 
>>>>> On 27 Oct 2016, at 22:37, Nicholas Roy 
>>>>> <>
>>>>>  wrote:
>>>>> 
>>>>> Is the addition of in-house infrastructure that proxies v6 introducing 
>>>>> an additional point of failure?  Do you think the risk is worth 
>>>>> supporting v6 right now?
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> Nick
>>>>> 
>>>>> On 10/27/16 12:55 PM, Tom Scavo wrote:
>>>>>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith 
>>>>>> <>
>>>>>>  wrote:
>>>>>>> What’s weird is that the first two worked at all… Unless your client 
>>>>>>> decided to do v4 for those queries for some reason. If it did work 
>>>>>>> over v6, I have *no* idea how!
>>>>>> After you made the patch, I can confirm that all three use IPv6.
>>>>>> However, I don't have verbose output that pre-dates your patch, sorry.
>>>>>> 
>>>>>> Tom
>>>>>> 
>>>>>>>> On 27 Oct 2016, at 13:37, Tom Scavo 
>>>>>>>> <>
>>>>>>>>  wrote:
>>>>>>>> 
>>>>>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith 
>>>>>>>> <>
>>>>>>>>  wrote:
>>>>>>>>> Should be fixed…
>>>>>>>> Yup, works great.
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> 
>>>>>>>> Tom
>>>>>>>> 
>>>>>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith 
>>>>>>>>>> <>
>>>>>>>>>>  wrote:
>>>>>>>>>> 
>>>>>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure 
>>>>>>>>>> is v4 only hosted in azure, with a set of v6 proxies hosted on our 
>>>>>>>>>> own infrastructure that proxies to the v4 for the MD dist and CDS. 
>>>>>>>>>> I set up the MDQ stuff on the servers themselves, and forgot to 
>>>>>>>>>> update the v6 proxy config accordingly.
>>>>>>>>>> 
>>>>>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works 
>>>>>>>>>> as well.
>>>>>>>>>> 
>>>>>>>>>> Rhys.
>>>>>>>>>> --
>>>>>>>>>> Dr Rhys Smith
>>>>>>>>>> Chief Technical Architect, Trust & Identity
>>>>>>>>>> Jisc
>>>>>>>>>> 
>>>>>>>>>> T: +44 (0) 1235 822145
>>>>>>>>>> M: +44 (0) 7968 087821
>>>>>>>>>> Skype: rhys-smith
>>>>>>>>>> GPG: 0x4638C985
>>>>>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>>>>>> 
>>>>>>>>>> jisc.ac.uk
>>>>>>>>>> 
>>>>>>>>>> Jisc is a registered charity (number 1149740) and a company 
>>>>>>>>>> limited by guarantee which is registered in England under Company 
>>>>>>>>>> No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 
>>>>>>>>>> One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>>>>>> 
>>>>>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo 
>>>>>>>>>>> <>
>>>>>>>>>>>  wrote:
>>>>>>>>>>> 
>>>>>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith 
>>>>>>>>>>> <>
>>>>>>>>>>>  wrote:
>>>>>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo 
>>>>>>>>>>>>> <>
>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith 
>>>>>>>>>>>>> <>
>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith 
>>>>>>>>>>>>>>> <>
>>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> UKf Test IdP: curl --compress 
>>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress 
>>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>>>>>> Sorry, that second one should be:  curl --compress 
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>>>>>> That's weird, I get 404 not found:
>>>>>>>>>>> 
>>>>>>>>>>> $ curl --version
>>>>>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 
>>>>>>>>>>> SecureTransport zlib/1.2.5
>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap 
>>>>>>>>>>> ldaps
>>>>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>>>>>> 
>>>>>>>>>>> $ curl --verbose --compress
>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>> *   Trying 2001:630:1:174::83...
>>>>>>>>>>> *   Trying 52.169.160.61...
>>>>>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port 
>>>>>>>>>>> 80 (#0)
>>>>>>>>>>>> GET 
>>>>>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>  HTTP/1.1
>>>>>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>>>>>> Accept: */*
>>>>>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>>>>>> 
>>>>>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>>>>>> < Content-Length: 258
>>>>>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>>>>>> <
>>>>>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>>>>>> <html><head>
>>>>>>>>>>> <title>404 Not Found</title>
>>>>>>>>>>> </head><body>
>>>>>>>>>>> <h1>Not Found</h1>
>>>>>>>>>>> <p>The requested URL
>>>>>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was 
>>>>>>>>>>> not
>>>>>>>>>>> found on this server.</p>
>>>>>>>>>>> </body></html>
>>>>>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>>> 
>> 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature