Getting a grasp on Heartbleed and IDPs

Wessel, Keith kwessel at
Thu Apr 10 12:07:23 EDT 2014

Thanks, Scott, that sums things up exactly as I needed them.


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Thursday, April 10, 2014 11:05 AM
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs

On 4/10/14, 11:53 AM, "Wessel, Keith" <kwessel at> wrote:

>If the IDP¹s private key was exposed (through connections to Apache 
>connections to 8443), what could a hacker do with it? Could they 
>intercept assertaions from our IDP and decrypt them? In short, what is 
>the IDP key and cert used for?

The attacker who stole the key can impersonate your IdP, full stop. They can issue signed assertions as your IdP's identity.

That specific case, you really have no recourse, you're stuck with a key rollover and getting the old one revoked (that is, get it out of the metadata).

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list