An open discussion list for topics related to the eduGAIN interfederation service.

[Dick Visser <visser AT terena.org>]

Although according to some I'm not suppose to use the Edugain feed
directly (but receive it through my Home Federation), I do use it, and
I can confirm the verification of the SHA256 feed works fine with
SimpleSAMLphp.
Since it 'just works' I am now using this feed only.

We run SimpleSAMLphp r3242, which would be equal to version 1.11.0.

This is on host login.terena.org, which runs Ubuntu 12.04, which uses
"PHP 5.3.10-1ubuntu3.8 with Suhosin-Patch (cli) (built: Sep  4 2013
20:00:51)".




On 3 December 2013 14:34, Brook Schofield <schofield AT terena.org> wrote:
> All,
>
> the TL;DR is:
>
> 1. visit http://goo.gl/6LUNDl
> 2. comment on your federation entry:
>  * which metadata signing, metadata software is used
>  * whether you can consume http://mds.edugain.org/feed-sha256.xml into your
> tools
>  * your plans or a URL for a SHA-256 feed into eduGAIN
>  * flag if you believe that the list 3 columns are inaccurate (results taken
> from eduGAIN.org/Metadata/ validator)
> 3. look at the "Software" tab if you have any information on SHA-256 support
> for metadata/messages of these tools
> 4. a revision of the Metadata Profile http://edugain.org/policy will reflect
> these "improvements"
> 5. the eduGAIN Steering Group will decide on the above profile the timeframe
> to enforce it.
>
> Thanks,
>
> -Brook
>
> Since you've scrolled down further I'll explain more fully.
>
> I'd take futher discussion to the eduGAIN-discuss AT geant.net list until such
> time as we have something to "vote" on or decide within the Steering Group.
>
> Clearly this is of interest to the wider community - even beyond eduGAIN -
> but with 23 federations providing metadata to eduGAIN it is such a sizeable
> group that solving the problem will allow eduGAIN to require future
> federations metadata feeds to comply with this requirement continually
> lifting the bar.
>
> In light of Chris' initial questions and the discussions on many other
> mailing lists there are two implications from the NIST recommendation on
> "disallowing" SHA-1 and Keys <2K in size.
>
> 1. The trust between federations (brokered by eduGAIN) and
> 2. The trust between entities within + beyond their federations.
>
> These have been better articulated by Ian. I'm only focusing on the trust
> between federations as this is clearly in the remit of eduGAIN - and #2 will
> follow as a result (I hope). Equally some federations are focusing on #2
> which will necessitate the same improvement in trust when those federations
> become part of an interfederation service. If you think this is the wrong
> direction please say so.
>
> I've started to annotate http://goo.gl/6LUNDl and would appreciate
> completing the sections.
>
> Please note that this is specific to those federations that provide a feed
> into eduGAIN and the assessment is based on that feed. There might be
> different practices within a federation and for other bilateral agreements.
>
> eduGAIN has two paths forward:
>
> 1. update the Metadata Profile and kick out federations that don't comply.
> 2. work with federations to "improve" their metadata feed - and then adjust
> the Metadata Profile.
>
> I think that the second path is better - because the eduGAIN SG can make
> this decision and doesn't need to defer to the eduGAIN Exec - since we won't
> be excluding federations from eduGAIN. We can always revisit this depending
> on how long it takes for federations to move on this. It is within the power
> of eduGAIN participants to move faster if you want. Whether the January 1st
> 2014 deadline can be reached is known. I'd say that is too aggressive to
> achieve - but we'll see how the coming weeks unfold ;-)
>
> Currently we have a SHA-256 feed for you to consume
> http://mds.edugain.org/feed-sha256.xml once everyone confirms that they can
> use this feed - it could be switched to being the default feed.
>
> The current Metadata Profile
> http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc
> only details the 2k key requirement and doesn't make any signing requirement
> nor any requirement on keys within that feed. So an update on a range of
> topics is needed.
>
> I'd appreciate your thoughts and commentary.
>
> -Brook
> --
> ===================================================
> Brook Schofield, TERENA Project Development Officer
> TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
> Tel +31 20 530 4488    Fax +31 20 530 4499    Mob +31 65 155 3991
> www.terena.org



-- 
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands