OpenSSL heartbleed bug / Shibboleth implications

Ian Young ian at
Tue Apr 8 12:34:03 EDT 2014

On 8 Apr 2014, at 16:51, Jeff Silverman <jeff at> wrote:

> Does InC Recommend replacing signing and/or encryption keys in response to this vulnerability?

I think this is probably a question better posed to the InCommon Participants list. I also think that it will be a couple of days before you see any definitive recommendations from any of the federation operators, and I'd cut InCommon extra slack because everyone is tied up in the Internet2 summit in Denver this week.

Working from first principles, though, if you have reason to believe a key has been or may have been compromised, then yes you should replace it. That's going to apply to any keys, so including any that only appear on TLS endpoints on vulnerable servers. Any commercial CA certificates involved (as opposed to self-signed ones) will also need to be revoked at the CA, not just replaced.

The tricky part is going to be deciding whether this bug constitutes a compromise or not. That's a judgement call, but given that the attack is simple, untraceable, unlogged and was apparently discovered by more than one group at the same time, I'd say that you'd be well advised to assume the worst.

	-- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : 

More information about the users mailing list