On 29 Jul 2009, at 12:23, Steve Prentice wrote:
> I see that validUntil is now live.
That is true. As announced a couple of weeks ago to technical
contacts, the production federation metadata now includes a validUntil
attribute. The current validity interval is 28 days, but that will be
gradually reduced (on a schedule as described in that mail to
technical contacts) to 14 days, but it may vary thereafter and we
haven't yet decided on what guarantees we want to give as to the
possible bounds that might have in the long term.
> Can anyone just confirm please if the following (default) filter is
> correct for use here?
>
> <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata
> " maxValidityInterval="604800" />
>
> (In Shib2).
>
> Does the ValidityInterval need changing at all, or is it ok as is?
We don't recommend changing your Shibboleth configuration to require a
validUntil attribute at this point. The reasoning here is that as a
recently introduced feature, there is a small possibility that we'll
have to back the change out... which would leave you completely
without metadata.
We'll be providing specific recommendations once the system has
stabilised at a 14 day interval, in about a month. That perhaps
wasn't as clear as it could have been in the announcement, in which I
said:
> In order to gain maximum security benefit from this change, it will
> be necessary for sites using software capable of rejecting metadata
> *not* including validUntil to configure it to do so. We will
> provide additional guidance on this step once the transition has
> been completed.
If you feel that you nevertheless want to include this filter now (and
accept the risk that we might have to revert the change briefly) then
a 30 day interval should be sufficient for the moment. The example
you show (which works out at 7 days) is definitely not going to work
with the current 28-day interval.
-- Ian
|