Per-Entity Metadata Working Group

[Rhys Smith <>]

> On 25 Nov 2016, at 16:49, Cantor, Scott 
> <>
>  wrote:
> 
> On 11/24/16, 2:11 PM, "Rhys Smith" 
> <
>  on behalf of 
> >
>  wrote:
> 
>> Highlights - sha256 sig alg 4096 bit RSA, expires end 2037.
> 
> That's certainly interesting. Did you do any performance evaluation of the 
> overhead of 4096 on the overall process?

Nothing comprehensive. Would be an interesting exercise though. This is 
mainly long term thinking that if the cert is valid for another 21 years, we 
probably want to be a bit ahead of the game.

My view here is that for any reasonably busy entity, the majority of times 
the md is needed it’ll already be there, cached; it’s only the first lookup 
where it’ll be downloaded and the signature verified. And it makes no 
human-noticeable difference in my testing.

As for the creation of the signed metadata snippets, all of ours are 
pre-created and cached, and with our HSM it makes essentially zero difference 
to the creation process (the speed bottleneck is java and the network, not 
the HSM doing the signing).

Where i’d want to go in the future is to create a parallel signed set of MDQ 
using EC instead of RSA (for those who want it to all work a bit faster). 
Obviously the state of EC support is a bit fraught at the moment though… 
(ref: https://issues.shibboleth.net/jira/browse/XSTJ-44)

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.

Attachment: smime.p7s
Description: S/MIME cryptographic signature