TestShib.org signature algorithm changed?
kpfoote at uoregon.edu
Wed Apr 2 13:45:29 EDT 2014
On 4/2/14, 10:27 AM, "Adam Conley" <aconley at ratex.com> wrote:
>Up until a few days ago (maybe a week or 2), the TestShib.org
>IdP was signing assertions with SHA1.
>That seems to have changed, as the signature is now using SHA256:
>The current SP implementation I am using (OpenAM .Net
>Fedlet) doesn¹t currently support SHA256.
>Was the switch to SHA256 intentional, or is there any chance it will
>switch back to SHA1 to support older implementations, like ours?
>Thanks for any info you can provide!
Yes sorry need to put up a blurb somewhere. Scott is right though, while
we allow and welcome testing from all SAML software the main goal of
testshib.org is to provide an up-to-date testing ground for the Shibboleth
software stack. This means using current practices having to do with
There was a request to do this and a thread  on list.
To note I believe that this stems from the following (bullets taken from
i2 spaces wiki)
* NIST deprecated the use of SHA-1 in conjunction with digital signatures
on January 1, 2011.
* NIST disallows the use of SHA-1 in conjunction with digital signatures
after January 1, 2014.
* See: NIST SP 800-57 Part 1, Revision 3 (July 2012), Tables 3 and 4
More information about the users