edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
[eduGAIN-discuss] "Metadata Improvement Programme" (Was: SHA1/SHA2: eduGAIN's ability to digest and produce SHA2 signatures.)
Chronological Thread
- From: Brook Schofield <schofield AT terena.org>
- To: edugain-discuss AT geant.net
- Cc: edugain-tsg AT geant.net
- Subject: [eduGAIN-discuss] "Metadata Improvement Programme" (Was: SHA1/SHA2: eduGAIN's ability to digest and produce SHA2 signatures.)
- Date: Tue, 3 Dec 2013 14:34:45 +0100
- List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
- List-id: eduGAIN discussion list <edugain-discuss.geant.net>
All,
the TL;DR is:
1. visit http://goo.gl/6LUNDl
2. comment on your federation entry:
* which metadata signing, metadata software is used
* whether you can consume http://mds.edugain.org/feed-sha256.xml into your tools
* your plans or a URL for a SHA-256 feed into eduGAIN
1. visit http://goo.gl/6LUNDl
2. comment on your federation entry:
* which metadata signing, metadata software is used
* whether you can consume http://mds.edugain.org/feed-sha256.xml into your tools
* your plans or a URL for a SHA-256 feed into eduGAIN
* flag if you believe that the list 3 columns are inaccurate (results taken from eduGAIN.org/Metadata/ validator)
3. look at the "Software" tab if you have any information on SHA-256 support for metadata/messages of these tools
4. a revision of the Metadata Profile http://edugain.org/policy will reflect these "improvements"
5. the eduGAIN Steering Group will decide on the above profile the timeframe to enforce it.
Thanks,
-Brook
Since you've scrolled down further I'll explain more fully.
I'd take futher discussion to the eduGAIN-discuss AT geant.net list until such time as we have something to "vote" on or decide within the Steering Group.
Clearly this is of interest to the wider community - even beyond eduGAIN - but with 23 federations providing metadata to eduGAIN it is such a sizeable group that solving the problem will allow eduGAIN to require future federations metadata feeds to comply with this requirement continually lifting the bar.I'd take futher discussion to the eduGAIN-discuss AT geant.net list until such time as we have something to "vote" on or decide within the Steering Group.
In light of Chris' initial questions and the discussions on many other mailing lists there are two implications from the NIST recommendation on "disallowing" SHA-1 and Keys <2K in size.
1. The trust between federations (brokered by eduGAIN) and
2. The trust between entities within + beyond their federations.
These have been better articulated by Ian. I'm only focusing on the trust between federations as this is clearly in the remit of eduGAIN - and #2 will follow as a result (I hope). Equally some federations are focusing on #2 which will necessitate the same improvement in trust when those federations become part of an interfederation service. If you think this is the wrong direction please say so.
I've started to annotate http://goo.gl/6LUNDl and would appreciate completing the sections.
Please note that this is specific to those federations that provide a feed into eduGAIN and the assessment is based on that feed. There might be different practices within a federation and for other bilateral agreements.
1. The trust between federations (brokered by eduGAIN) and
2. The trust between entities within + beyond their federations.
These have been better articulated by Ian. I'm only focusing on the trust between federations as this is clearly in the remit of eduGAIN - and #2 will follow as a result (I hope). Equally some federations are focusing on #2 which will necessitate the same improvement in trust when those federations become part of an interfederation service. If you think this is the wrong direction please say so.
I've started to annotate http://goo.gl/6LUNDl and would appreciate completing the sections.
Please note that this is specific to those federations that provide a feed into eduGAIN and the assessment is based on that feed. There might be different practices within a federation and for other bilateral agreements.
eduGAIN has two paths forward:
1. update the Metadata Profile and kick out federations that don't comply.
2. work with federations to "improve" their metadata feed - and then adjust the Metadata Profile.
I think that the second path is better - because the eduGAIN SG can make this decision and doesn't need to defer to the eduGAIN Exec - since we won't be excluding federations from eduGAIN. We can always revisit this depending on how long it takes for federations to move on this. It is within the power of eduGAIN participants to move faster if you want. Whether the January 1st 2014 deadline can be reached is known. I'd say that is too aggressive to achieve - but we'll see how the coming weeks unfold ;-)
Currently we have a SHA-256 feed for you to consume http://mds.edugain.org/feed-sha256.xml once everyone confirms that they can use this feed - it could be switched to being the default feed.
The current Metadata Profile http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc only details the 2k key requirement and doesn't make any signing requirement nor any requirement on keys within that feed. So an update on a range of topics is needed.
I'd appreciate your thoughts and commentary.
-Brook
-Brook
--
===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488 Fax +31 20 530 4499 Mob +31 65 155 3991
www.terena.org
- [eduGAIN-discuss] "Metadata Improvement Programme" (Was: SHA1/SHA2: eduGAIN's ability to digest and produce SHA2 signatures.), Brook Schofield, 12/03/2013
Archive powered by MHonArc 2.6.19.