Hi Ian,
Many thanks for clearing that up... I'll leave it for the moment and await
more details to appear on the list whenever people start using it more etc.
:-)
Cheers,
Steve
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Ian Young
Sent: 29 July 2009 17:12
To: [log in to unmask]
Subject: Re: validUntil attribute
On 29 Jul 2009, at 12:23, Steve Prentice wrote:
> I see that validUntil is now live.
That is true. As announced a couple of weeks ago to technical contacts, the
production federation metadata now includes a validUntil attribute. The
current validity interval is 28 days, but that will be gradually reduced (on
a schedule as described in that mail to technical contacts) to 14 days, but
it may vary thereafter and we haven't yet decided on what guarantees we want
to give as to the possible bounds that might have in the long term.
> Can anyone just confirm please if the following (default) filter is
> correct for use here?
>
> <MetadataFilter xsi:type="RequiredValidUntil"
> xmlns="urn:mace:shibboleth:2.0:metadata
> " maxValidityInterval="604800" />
>
> (In Shib2).
>
> Does the ValidityInterval need changing at all, or is it ok as is?
We don't recommend changing your Shibboleth configuration to require a
validUntil attribute at this point. The reasoning here is that as a
recently introduced feature, there is a small possibility that we'll have to
back the change out... which would leave you completely without metadata.
We'll be providing specific recommendations once the system has stabilised
at a 14 day interval, in about a month. That perhaps wasn't as clear as it
could have been in the announcement, in which I
said:
> In order to gain maximum security benefit from this change, it will be
> necessary for sites using software capable of rejecting metadata
> *not* including validUntil to configure it to do so. We will provide
> additional guidance on this step once the transition has been
> completed.
If you feel that you nevertheless want to include this filter now (and
accept the risk that we might have to revert the change briefly) then a 30
day interval should be sufficient for the moment. The example you show
(which works out at 7 days) is definitely not going to work with the current
28-day interval.
-- Ian
Please consider the environmental impact of needlessly printing this e-mail
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions made are solely those of the author and may not necessarily represent those of Richard Huish College.
If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. Please delete it and advise the sender directly.
All email leaving and entering the College is electronically scanned for viruses, SPAM, and other content that does not meet the College's Acceptable Use Policy and may be automatically rejected or isolated for inspection.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|