...
MDS bases its aggregation function of on information provided by each participant Federation as specified in [eduGAIN-Profile]:
...
The signature was made using an explicit ID reference, not an empty reference.
The signature reference refers to the document element (this helps to avoid "wrapping attacks").
The digest algorithm is at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature method is RSA with an associated digest at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature's transforms contain only permissible values:
Enveloped signature
Exclusive canonicalisation with or without comments
Verification of metadata validity
...
Condition Evaluated | Reason | |
---|---|---|
A1 | the document element is md:EntitiesDescriptor | |
A2 | all required namespaces are declared, that is xmlns:md, xmlns:mdrpi, xmlns:ds. | |
A3 | if md:EntitiesDescriptor contains md:Extensions element with mdrpi:PublicationInfo element in which the publisher attribute is given | |
A4 | validUntil attribute in EntitiesDescriptor element exists, can be converted to a time value and it does not point to the past | SAML lines: 348; 316 |
A5 | validUntil attribute with a value not earlier than 120 hours (5 days) and not later than 2304 hours (28 days) after the creationInstantis not later than 28 days compared to the download moment | eduGAIN-profile |
A6 | the fetched document schema-validates against following SAML metadata schemas:
|
...