1 260
szerkesztés
Módosítások
→Trust in metadata
The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.
==== Trust in metadata ====
===== Verification procedure of the metadata file =====
The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.
===== Signing procedure =====
Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and sent to a public mailing list ([https://listserv.niif.hu/mailman/listinfo/href-metadata-changes href-metadata-changes])
The signature is done by a PIN-protected hardware token.===== Signing key rollover change or revocation =====Changes of the signing key/certificate is always negotiated with the technical contacts of all federation entities.====Authenticating peer entities ==== Registration procedure It is recommended for all entities to use self-signed certificates, however, even if an entity uses a certificate signed by an external CA, it shall not be assumed that peers use any kind of path validation or revocation checking.=====Entity certificate change or revocation =====An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in the metadata. If an entity certificate is compromised, the Federation Operator must be notified immediately. The certificate is removed from the metadata and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack window.
==== Metadata extensions ====
==== Other metadata sets available ====
