An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Tomasz Wolniewicz <twoln AT umk.pl> [2015-04-09 12:46]:
> So far our approach was to react to situations where the validUntil
> value was more then 28 days in advance from the current time, we did
> not inspect any elements of the metadata file itself.

I think that's a perfectly reasonable method, and keeps things simple
for everyone.

> If we wanted to be more exact, then the only way we can implement it
> is by using the creationInstant value within the PublicationInfo
> element as a substitute of this signature timestamp. Unfortunately
> creationInstant is optional.

It's doubtful reading "signature timestamp" from the profile to
specifically mean mdrpi:PublicationInfo/@creationInstant is being
"More correct". (IMO the profile should be reworded, if you wanted
more clarity/correctness.)
To me that would be one way of interpreting the abstract requirement
that we don't want too large windows of opportunity in upsteam feeds.

The other being the current method, which is simple and works today.

FWIW, if someone wanted to easily add PublicationInfo to their SAML
metadata before signing, there's this simple XSLT snippet:
https://github.com/leifj/pyFF/blob/master/src/pyff/xslt/pubinfo.xsl
All you need is an xslt processor (e.g. xsltproc, or one included in
the language/API of your choice) and provide it with the value for
mdrpi:PublicationInfo/@publisher.

Best regards,
-peter

Attachment: signature.asc
Description: Digital signature