eduGAIN certificate change roadmap

Statement of the problem and short-term solution

The current certificate holding the eduGAIN signing key expires on July 1st 2019. If federations base their verification on the public key alone, then the expiration should not cause any disruption, but we realize that there may be some cases where this expiration could produce a problem and therefore suggest to use the opportunity to implement some improvements.

The service should aim at the best standards of security, these should be a result of joint work of the whole eduGAIN community.

The current short-term proposal is to use the current key within a certificate of extended validity until 1.04.2021. This certificate is available at https://technical.edugain.org/mds-v1.cer. Since the certificate uses the same public key as the current one, eduGAIN member federations can easily validate its authenticity.

eduGAIN OT publishes a new feed signed with this key and containing the new certificate at: https://mds.edugain.org/edugain-v1.xml.

This link will stay as the new official feed, however, for backwards compatibility, the new feed will be also distributed since 24.06.2019 under the old links: https://mds.edugain.org and https://mds.edugain.org/feed-sha256.xml.

The federations are expected to start using the new feed and validate it with the new certificate. In order to assess the risk of disruptions in case some federations did not do the updates in time the OT has performed a number of tests on how the change in the feed may influence the validation. The resilts published at Signature validation tests show that everything should run smoothly. (One interesting observation resulting from these tests is that xmlsec1 tool behaves rather unexpectedly and in general should not be used as a means of feed validation.)

The links to the feed and to the extended certificate are available from the page https://technical.edugain.org/metadata.

The long-term goal

Metadata aggregation and distribution

Work towards reaching a satisfactory long-term solution has already started. The goal is to reach a very sound security in eduGAIN key management and signing by employing advanced key generation ceremony, key storage and handling procedures. This work should be done in the cooperation of the whole eduGAIN community and result in a new procedure for signing the eduGAIN aggregate (and possibly also individual entities). The new aggregate will be served as https://mds.edugain.org/edugain-v2.xml not later than the 1st of March 2021, but hopefully much earlier.

Metadata verification advisory

Tests performed during preparations for designing this proposal, described at Signature validation tests have shown that signature verification procedures may sometimes lead to unsatisfactory results. It is planned that an advisory for participating federations on best practices in performing the verification will be prepared.

Improving the overall eduGAIN security

This work item should focus on improving eduGAIN trust in general such as establishing secure channels of communication between member federations and the eduGAIN operations, procedures for communicating changes to federation representations etc.