An open discussion list for topics related to the eduGAIN interfederation service.

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,
  Following up on some metadata expiry cases we have re-visited the
following clause of the eduGAIN metedata profile:
"The metadata root element MUST contain validUntil attribute with a
value not later than 28 days after the signature timestamp"

While this clause mentions a signature timestamp which does not exist in
federation upstream metadata, it has a clear intention of not allowing
federations to provide metadata with very long lifetimes.

So far our approach was to react to situations where the validUntil
value was more then 28 days in advance from the current time, we did not
inspect any elements of the metadata file itself. If we wanted to be
more exact, then the only way we can implement it is by using the
creationInstant value within the PublicationInfo element as a substitute
of this signature timestamp. Unfortunately creationInstant is optional.

I would like to start a thread on this problem, so that we could reach a
consensus if we want to do something more about it or not.

On the eduGAIN status page: https://technical.edugain.org/status.php you
can now see blue exclamation marks, which mark a minor problem with
federation metadata (this will become red if something is seriously
wrong, like not access to metadata). Right now this blue exclamation
mark means that metadata does not contain the creationInstant attribute
in PublicationInfo, or does not contain the PublicationInfo at all (we
do not distinguish between these two). You can see that there are many
of these. The ones which are not marked do have the creationInstant and
you can see its value when you expand the view. There is one special
case - Ecuador MINGA - they do have a creationInstant but is shows
2014-11-27 14:14:00, while the validUntil is 2015-04-20 00:00:01 -
definitely too big a difference. This is most likely a simple mistake or
interpretation of the creationInstant meaning, MINGA does resign their
metadata, changing the validUntil to an approapriate value, but they
seem to keep creationInstant untouched.

So, any comments welcome.

Cheers
Tomasz



-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576