OpenSSL heartbleed bug / Shibboleth implications
cantor.2 at osu.edu
Tue Apr 8 13:05:10 EDT 2014
On 4/8/14, 12:41 PM, "Jeff Silverman" <jeff at moodlerooms.com> wrote:
>Hi, Nicholas. I apologize -- and I do not mean to sound snarky! -- but
>I'm not sure I understand why that list is better for this question.
Well, the way you phrased it is *directly* to InCommon as an entity,
asking for their feedback. This isn't an InCommon list, and the Shibboleth
Project doesn't speak for the federation, so getting an official response
is something you want to direct to their list or contact points.
What you get here is a technical assessment, assuming it's a Shibboleth
implementation involved, but that's not coming from InCommon. Of course,
that may be just as relevant to you, but that's why it's not the same
> I thought my question directly related to the topic at hand? Also, there
>is basically no activity on that mailing list over the last 24 hours.
>(This is probably me not sure where the line is drawn between Shib and
Well, pretty much if the word InCommon appears, it's tolerated here but
meant to be there. This list has doubled as InCommon's support list for a
long time, but it's not really the intention, especially when it comes to
>- We don't have any reason to believe we've been compromised
You couldn't know.
>- We are only running Shib SP services
Which is affected if the SP is linked to OpenSSL 1.0.1.
>- We've applied patches to everything from our vendor
The patches appeared literally last night, so you couldn't be protected
>Since the InC recommended new cert rollout process can take up to two
>weeks, I'm curious how others are approaching cert replacement.
I think it will be a little while before we see the way people approach
this, but ultimately you have to make some decisions internally based on
risk tolerance and customer perception, balanced against the inevitable
downtime with IdPs not running Shibboleth or SSP, and balanced against the
way IdPs (in your case) react to SPs willing to operate without addressing
Of course, if you're not affected because you don't have that OpenSSL
version installed, then you breath a sigh and move on.
More information about the users