OpenSSL heartbleed bug / Shibboleth implications

Nicholas Roy nsr11 at psu.edu
Tue Apr 8 12:49:01 EDT 2014 

Thanks Jeff - the reason I think it's an appropriate question for that list is that InCommon staff actively monitors that list and is in a position to reply to InCommon policies, practices and recommendations there. Since you asked about InCommon recommendations, likely that's the place to ask. Your question may prompt a discussion of this issue there, which I think would be valuable. 

Best, 

Nick 

----- Original Message -----

From: "Jeff Silverman" <jeff at moodlerooms.com> 
To: "Shib Users" <users at shibboleth.net> 
Sent: Tuesday, April 8, 2014 12:41:46 PM 
Subject: Re: OpenSSL heartbleed bug / Shibboleth implications 

Hi, Nicholas. I apologize -- and I do not mean to sound snarky! -- but I'm not sure I understand why that list is better for this question. I thought my question directly related to the topic at hand? Also, there is basically no activity on that mailing list over the last 24 hours. (This is probably me not sure where the line is drawn between Shib and InC conversations) 

I've tried due diligence before posting this question but the best answer I can derive is "maybe" 

- We don't have any reason to believe we've been compromised 
- We are only running Shib SP services 
- We've applied patches to everything from our vendor 

Since the InC recommended new cert rollout process can take up to two weeks, I'm curious how others are approaching cert replacement. 

Thanks, 
JDS 


On Tue, Apr 8, 2014 at 12:15 PM, Nicholas Roy < nsr11 at psu.edu > wrote: 



That would be a good question for the InCommon Participants list. 

Best, 

Nick 

Nicholas Roy - Penn State - Information Technology Services 
nicholas-roy at psu.edu 
tel +1 814 867 0115 



From: "Jeff Silverman" < jeff at moodlerooms.com > 
To: "Shib Users" < users at shibboleth.net > 
Sent: Tuesday, April 8, 2014 11:51:08 AM 

Subject: Re: OpenSSL heartbleed bug / Shibboleth implications 

Does InC Recommend replacing signing and/or encryption keys in response to this vulnerability? 

Thanks, 
-- 
Jeffrey D. Silverman • Moodlerooms, Inc. 
(410) 779-3425 • jeff at moodlerooms.com 

This email and any attachments may contain confidential and proprietary information of Moodlerooms that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. 

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 


-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 






-- 
Jeffrey D. Silverman • Moodlerooms, Inc. 
(410) 779-3425 • jeff at moodlerooms.com 

This email and any attachments may contain confidential and proprietary information of Moodlerooms that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. 
-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140408/3e605d49/attachment.html

More information about the users mailing list