1 260
szerkesztés
Módosítások
→Metadata: autosave
=== Metadata ===
Information about the entities of the Federation is maintained in a signed XML document, called the federation metadata.
==== Availability ====
The metadata file is available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xml, however the unencrypted method is preferred. The file is stored on a highly available file server.
The information inside the metadata file must not be trusted after the date specified in the <code>validUntil</code> field of the topmost <code>EntitiesDescriptor</code>. The expiration date of a metadata file is '''7 days''' after the date of the signature.
The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.
==== Trust in metadata ====
===== Verification procedure =====
The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.
The Federation Operator uses a self-signed certificate for signing the metadata file, therefore the signing key must be explicitly trusted. Properties of the signing certificate:
* DN: <code>C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu</code>
* MD5 fingerprint: <code>21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4</code>
* SHA1 fingerprint: <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>
* Availability: from <code>Oct 5 08:18:46 2011 GMT</code> until <code>Sep 30 08:18:46 2031 GMT</code>
The certificate used for signing can be downloaded from https://metadata.eduid.hu/href-metadata-signer-2011.crt , which link should lead to a page without certificate warnings with most browsers. It is recommended to request the signing certificate from the Federation Operator by using other verifiable transport as well (such as PGP-signed email).
===== Signing procedure =====
Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and sent to a public mailing list ([https://listserv.niif.hu/mailman/listinfo/href-metadata-changes href-metadata-changes])
===== Signing key rollover or revocation =====
===== Registration procedure =====
==== Metadata extensions ====
==== Other metadata sets available ====
== Federation Operator services ==
=== Metadata distribution ===
