...
| Note |
|---|
As of January 31, 2018, you You may also use TLS (https) to download the aggregates noted above. You are strongly advised not to depend solely on TLS for the security of your metadata downloads, and to continue the critical practice of verifying the signature on metadata according to the instructions on the Metadata Consumption page. Clients that are capable of doing so should continue to download metadata over unencrypted http. |
All metadata aggregates are signed using the same metadata signing key and the SHA-256 digest algorithm. To verify the signature on an aggregate, a consumer must obtain an authentic copy of the InCommon Metadata Signing Certificate.
...