OpenSSL heartbleed bug / Shibboleth implications

Cantor, Scott cantor.2 at
Tue Apr 8 13:05:10 EDT 2014

On 4/8/14, 12:41 PM, "Jeff Silverman" <jeff at> wrote:

>Hi, Nicholas. I apologize -- and I do not mean to sound snarky! -- but
>I'm not sure I understand why that list is better for this question.

Well, the way you phrased it is *directly* to InCommon as an entity,
asking for their feedback. This isn't an InCommon list, and the Shibboleth
Project doesn't speak for the federation, so getting an official response
is something you want to direct to their list or contact points.

What you get here is a technical assessment, assuming it's a Shibboleth
implementation involved, but that's not coming from InCommon. Of course,
that may be just as relevant to you, but that's why it's not the same

> I thought my question directly related to the topic at hand? Also, there
>is basically no activity on that mailing list over the last 24 hours.
>(This is probably me not sure where the line is drawn between Shib and
>InC conversations)

Well, pretty much if the word InCommon appears, it's tolerated here but
meant to be there. This list has doubled as InCommon's support list for a
long time, but it's not really the intention, especially when it comes to
policy questions.

>- We don't have any reason to believe we've been compromised

You couldn't know.

>- We are only running Shib SP services

Which is affected if the SP is linked to OpenSSL 1.0.1.

>- We've applied patches to everything from our vendor

The patches appeared literally last night, so you couldn't be protected

>Since the InC recommended new cert rollout process can take up to two
>weeks, I'm curious how others are approaching cert replacement.

I think it will be a little while before we see the way people approach
this, but ultimately you have to make some decisions internally based on
risk tolerance and customer perception, balanced against the inevitable
downtime with IdPs not running Shibboleth or SSP, and balanced against the
way IdPs (in your case) react to SPs willing to operate without addressing

Of course, if you're not affected because you don't have that OpenSSL
version installed, then you breath a sigh and move on.

-- Scott

More information about the users mailing list