Getting a grasp on Heartbleed and IDPs

Cantor, Scott cantor.2 at
Thu Apr 10 12:04:51 EDT 2014

On 4/10/14, 11:53 AM, "Wessel, Keith" <kwessel at> wrote:

>If the IDP¹s private key was exposed (through connections to Apache
>connections to 8443), what could a hacker do with it? Could they
>intercept assertaions from our IDP and decrypt them? In short, what is
>the IDP key and cert used for?

The attacker who stole the key can impersonate your IdP, full stop. They
can issue signed assertions as your IdP's identity.

That specific case, you really have no recourse, you're stuck with a key
rollover and getting the old one revoked (that is, get it out of the

-- Scott

More information about the users mailing list