Getting a grasp on Heartbleed and IDPs
Cantor, Scott
cantor.2 at osu.edu
Thu Apr 10 12:04:51 EDT 2014
On 4/10/14, 11:53 AM, "Wessel, Keith" <kwessel at illinois.edu> wrote:
>If the IDP¹s private key was exposed (through connections to Apache
>connections to 8443), what could a hacker do with it? Could they
>intercept assertaions from our IDP and decrypt them? In short, what is
>the IDP key and cert used for?
The attacker who stole the key can impersonate your IdP, full stop. They
can issue signed assertions as your IdP's identity.
That specific case, you really have no recourse, you're stuck with a key
rollover and getting the old one revoked (that is, get it out of the
metadata).
-- Scott
More information about the users
mailing list