Getting a grasp on Heartbleed and IDPs
Cantor, Scott
cantor.2 at osu.edu
Thu Apr 10 12:06:38 EDT 2014
I would add, my reaction to this, as somebody who wasn't hit on the IdP,
is to work on splitting my TLS and signing keys, so that if the TLS key is
hit in the future, the rollover of that key will affect fewer SPs.
-- Scott
On 4/10/14, 12:04 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 4/10/14, 11:53 AM, "Wessel, Keith" <kwessel at illinois.edu> wrote:
>
>>If the IDP¹s private key was exposed (through connections to Apache
>>connections to 8443), what could a hacker do with it? Could they
>>intercept assertaions from our IDP and decrypt them? In short, what is
>>the IDP key and cert used for?
>
>The attacker who stole the key can impersonate your IdP, full stop. They
>can issue signed assertions as your IdP's identity.
>
>That specific case, you really have no recourse, you're stuck with a key
>rollover and getting the old one revoked (that is, get it out of the
>metadata).
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
>
More information about the users
mailing list