per-entity - Re: [Per-Entity] UKf MDQ server
Subject: Per-Entity Metadata Working Group
List archive
- From: Rhys Smith <>
- To: Scott Cantor <>
- Cc: Tom Scavo <>, "" <>
- Subject: Re: [Per-Entity] UKf MDQ server
- Date: Fri, 25 Nov 2016 17:24:48 +0000
- Accept-language: en-GB, en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:KLm9LxEzfiylFZhGwLdwUZ1GYnF86YWxBRYc798ds5kLTJ7yoMqwAkXT6L1XgUPTWs2DsrQf2rGQ6PqrCDBIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZb1/IA+4oAnPucUbhYRvIbstxxXUpXdFZ/5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnMVhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1kyoMKSI3/3/LhcxxlKJboQyupxpjw47PfYqZMONycr7Bcd8GQGZMWNtaWS5cDYOmd4YBD/QPM/tEr4fzpFUOoxmxCw6tBOzzxTBFnXD20bE/0+k7EQHKwA4tEtQTu3rUttX1M6ISXPipwqnIzTTDdO5d1yr46IjJbhAhoeyHULVsf8rRyUgvDBnJgEiVqYzkIzOV1v8As2qa7+p7Se2jkXQopB1rrjiyxcchk4/EjZ8bxFDD8CV22oc1JdugRU5gYd6kEYBfuDqdN4tyXMwiX2FotDw8yrIYpZ62ejUBxpc/xxPHdfCLb4qF7gjgWeqPOzt1h25pdKiiixux9UWs0vPwWtWo3FpXqydIndvBumwI2hDO5MiLVv9w80Ki1DmT1g3e7/1LLEEomqfeNZEt3qI/mYYWvEnBBSD7l0v7gaqKeUgm5uSl6fzrbqv7qpKSLYN4lwXzP6A0lsCiAuk0LhICU3WZ9Om/0rDo4Ff3T69QjvIsl6nUqJDaKtofpq6+GwJazJsj5w+kDzejzNQYhWALI09bdxKDjojpJU/BIOr4DPumnlihkzNmy+rDPr3gB5XCMGTMn636fbZh8UJT1A0zzdVH65JVDLEOPu7zV1fvuNDEDBI1KQ+5z/j9BNh+yo8SQ3+DD6ydPa/KtF+H/OMvI+2CZI8Pvzb9LuAo5+TujX45gl8RZ7Kp3Z4WaHCkHvRrOEeZYXv3gtgdC2sFpBYxQPb3iF2BSTJTfWq9X7og5jEnD4KrFYbDRoaxj7yG2Se7G5pWZmZcBlCLC3foeJyIW+8SZyKIO8NujDoEVaSgS4891RCjrwv6y7t8LurI4S0Uq4jv1Nlz5+3Pix4y7zp0ANqB022TVW17gH4HRyJllJx49Hd2zUufmYNxheBfD5QH7PpPTgAgc8T0yPdnTd3+R1SSUM2OTQOcQsS9SQo0T84xi4s0Y1dmXe6njwzD9yirGLRTnrfNGZ9iofGU5GT4O8sokyWO76ImlVRzB5IXbWA=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
> On 25 Nov 2016, at 16:49, Cantor, Scott
> <>
> wrote:
>
> On 11/24/16, 2:11 PM, "Rhys Smith"
> <
> on behalf of
> >
> wrote:
>
>> Highlights - sha256 sig alg 4096 bit RSA, expires end 2037.
>
> That's certainly interesting. Did you do any performance evaluation of the
> overhead of 4096 on the overall process?
Nothing comprehensive. Would be an interesting exercise though. This is
mainly long term thinking that if the cert is valid for another 21 years, we
probably want to be a bit ahead of the game.
My view here is that for any reasonably busy entity, the majority of times
the md is needed it’ll already be there, cached; it’s only the first lookup
where it’ll be downloaded and the signature verified. And it makes no
human-noticeable difference in my testing.
As for the creation of the signed metadata snippets, all of ours are
pre-created and cached, and with our HSM it makes essentially zero difference
to the creation process (the speed bottleneck is java and the network, not
the HSM doing the signing).
Where i’d want to go in the future is to create a parallel signed set of MDQ
using EC instead of RSA (for those who want it to all work a bit faster).
Obviously the state of EC support is a bit fraught at the moment though…
(ref: https://issues.shibboleth.net/jira/browse/XSTJ-44)
Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc
T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: [Per-Entity] UKf MDQ server, Rhys Smith, 11/24/2016
- Re: [Per-Entity] UKf MDQ server, Tom Scavo, 11/24/2016
- Re: [Per-Entity] UKf MDQ server, Rhys Smith, 11/24/2016
- Re: [Per-Entity] UKf MDQ server, Cantor, Scott, 11/25/2016
- Re: [Per-Entity] UKf MDQ server, Rhys Smith, 11/25/2016
- Re: [Per-Entity] UKf MDQ server, Cantor, Scott, 11/25/2016
- Re: [Per-Entity] UKf MDQ server, Rhys Smith, 11/24/2016
- Re: [Per-Entity] UKf MDQ server, Tom Scavo, 11/28/2016
- Re: [Per-Entity] UKf MDQ server, Ian Young, 11/28/2016
- Re: [Per-Entity] UKf MDQ server, Ian Young, 11/28/2016
- Re: [Per-Entity] UKf MDQ server, Ian Young, 11/28/2016
- Re: [Per-Entity] UKf MDQ server, Tom Scavo, 11/24/2016
Archive powered by MHonArc 2.6.19.