eduGAIN certificate change roadmap
Statement of the problem and short-term solutionThe current certificate holding the eduGAIN signing key expires on July 1st 2019. If federations base their verification on the public key alone, then the expiration should not cause any disruption, but we realize that there may be some cases where this expiration could produce a problem and therefore suggest to use the opportunity to implement some improvements.
The service should aim at the best standards of security, these should be a result of joint work of the whole eduGAIN community.
The current short-term proposal is to use the current key within a certificate of extended validity until 1.04.2021. This certificate is available at https://technical.edugain.org/mds-v1.cer. Since the certificate uses the same public key as the current one, eduGAIN member federations can easily validate its authenticity.
eduGAIN OT publishes a new feed signed with this key and containing the new certificate at: https://mds.edugain.org/edugain-v1.xml.
This link will stay as the new official feed, however, for backwards compatibility, the new feed will be also distributed since 24.06.2019 under the old links: https://mds.edugain.org and https://mds.edugain.org/feed-sha256.xml.
The federations are expected to start using the new feed and validate it with the new certificate. In order to assess the risk of disruptions in case some federations did not do the updates in time the OT has performed a number of tests on how the change in the feed may influence the validation. The resilts published at Signature validation tests show that everything should run smoothly. (One interesting observation resulting from these tests is that xmlsec1 tool behaves rather unexpectedly and in general should not be used as a means of feed validation.)
The links to the feed and to the extended certificate are available from the page https://technical.edugain.org/metadata.