...
- On December 18, 2013, InCommon Operations will deploy three new metadata aggregates at the following permanent HTTP locations:
- http://md.incommon.org/InCommon/InCommon-metadata.xml (production metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback metadata)
- http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview metadata)
- All new metadata aggregates will be signed using a new self-signed signing certificate set to expire on December 18, 2037.
- https://wayf.incommonfederation.org/bridge/certs/inc-md-cert.pemhttp://mdds.incommon.org/certs/inc-md-cert.pem
- Although the signing certificate is new, the signing key is not.
- All new metadata aggregates will be signed with the same key but the fallback metadata aggregate will use a different digest algorithm.
- The production metadata aggregate will be signed using a SHA-2 digest algorithm (specifically, SHA-256).
- Initially, the fallback metadata aggregate will be signed using the SHA-1 digest algorithm (which is what we use now).
- Initially, the preview metadata aggregate will be identical to the production metadata aggregate.
- All deployments shall migrate to one of the new metadata aggregates ASAP but no later than March 29, 2014.
- The current metadata aggregate will be replaced with a redirect to the fallback metadata aggregate on March 29, 2014.
- If your metadata process can verify an XML signature that uses the SHA-256 digest algorithm, migrate to either the production metadata aggregate or the preview metadata aggregate.
- If your metadata process can not verify an XML signature that uses the SHA-256 digest algorithm, migrate to the fallback metadata aggregate.
- All deployments shall be able to verify an XML signature that uses a SHA-256 digest algorithm by June 30, 2014.
- On June 30, the fallback metadata aggregate will be synced with the production metadata aggregate (i.e., all aggregates will be signed using the SHA-256 digest algorithm).
- After June 30, all metadata aggregates published by the InCommon Federation will be signed using the SHA-256 digest algorithm.
...
Wiki Markup Create a new self-signed signing certificate set to expire on December 18, 2037: \[*DONE*\]
- https://wayf.incommonfederation.org/bridge/certs/inc-md-cert.pemhttp://mdds.incommon.org/certs/inc-md-cert.pem
Wiki Markup On December 18, 2013, deploy three new metadata aggregates: \[*DONE*\]
- A new production metadata aggregate that uses the new self-signed certificate and a SHA-2 digest algorithm (specifically, SHA-256):
- A new fallback metadata aggregate that uses the new self-signed certificate and the SHA-1 digest algorithm (like we do now):
- A new preview metadata aggregate that is aliased to the production metadata aggregate:
Wiki Markup Advise all deployments to migrate to one of the new metadata aggregates ASAP but *no later than March 29, 2014*. \[*DONE*\]
Wiki Markup Create discussion list [metadata-support@incommon.org|https://lists.incommon.org/sympa/info/metadata-support]. \[*DONE*\]
- Replace the current metadata aggregate with a redirect to the fallback metadata aggregate on March 29, 2014.
- Retire the following resources on March 29, 2014:
- http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
- http://wayf.incommonfederation.org/InCommon/InCommon-metadata-test.xml
- https://wayf.incommonfederation.org/bridge/certs/inc-md-cert.pem
- https://wayf.incommonfederation.org/bridge/certs/incommon.pem
- https://wayf.incommonfederation.org/bridge/certs/ca.pem
- http://incommoncrl1.incommonfederation.org/crl/eecrls.crl
- http://incommoncrl2.incommonfederation.org/crl/eecrls.crl
- Sync the fallback metadata aggregate with the production metadata aggregate on June 30, 2014.
Wiki Markup Remove the redirect to the _fallback metadata aggregate_ on \[*date TBD*\].
...