TestShib.org signature algorithm changed?
Kevin Foote
kpfoote at uoregon.edu
Wed Apr 2 13:45:29 EDT 2014
On 4/2/14, 10:27 AM, "Adam Conley" <aconley at ratex.com> wrote:
>Hello,
>
>Up until a few days ago (maybe a week or 2), the TestShib.org
>IdP was signing assertions with SHA1.
>That seems to have changed, as the signature is now using SHA256:
>
><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256">
>
>The current SP implementation I am using (OpenAM .Net
>Fedlet) doesn¹t currently support SHA256.
>Was the switch to SHA256 intentional, or is there any chance it will
>switch back to SHA1 to support older implementations, like ours?
>
>Thanks for any info you can provide!
>
>Adam
>
>
Yes sorry need to put up a blurb somewhere. Scott is right though, while
we allow and welcome testing from all SAML software the main goal of
testshib.org is to provide an up-to-date testing ground for the Shibboleth
software stack. This means using current practices having to do with
signing.
There was a request to do this and a thread [1] on list.
To note I believe that this stems from the following (bullets taken from
i2 spaces wiki[2])
* NIST deprecated the use of SHA-1 in conjunction with digital signatures
on January 1, 2011.
* NIST disallows the use of SHA-1 in conjunction with digital signatures
after January 1, 2014.
* See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
[1] http://thread.gmane.org/gmane.comp.web.shibboleth.user/33206
[2] https://spaces.internet2.edu/x/yoCkAg
------
thanks,
kevin.foote
More information about the users
mailing list