An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 2019-11-25, at 15:03, Etienne Dysli Metref <etienne.dysli-metref AT switch.ch> wrote:

On 25/11/2019 14.49, Ian Young wrote:

0.8 and 0.9 also brought in a _ton_ of new features, so you can do a lot
more with the current one than you could do in 2013.

Cool! :)
From what I could read, the MDA can now sign metadata (using PKCS#11,
which I need). Do I still need xmlsectool then?

Yes, the signing stuff was improved and you can indeed sign with it using a PKCS#11 token as well as file-based keys. Whether you want to switch away from XMLSecTool depends on quite a lot of things. XMLSecTool is a bit more flexible in terms of what you can generate, and there may be things it can do that the MDA can't.

For what it's worth, we still sign the UKf aggregates with XMLSecTool. That's probably at least partly inertia but also partly because we run a _textual_ process on the unsigned aggregate to normalise (and thus reduce) its white space before signing. Also, the signing happens on a different machine so there's no real benefit to firing up a single MDA stage if XMLSecTool encapsulates the function we need.

Both the UKf and InCommon per-entity metadata is signed with the MDA, though. In that case, not having to execute XMLSecTool independently for each per-entity document was more valuable than the benefits of that space reduction process.

    -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature