Getting a grasp on Heartbleed and IDPs
kwessel at illinois.edu
Thu Apr 10 12:07:23 EDT 2014
Thanks, Scott, that sums things up exactly as I needed them.
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Thursday, April 10, 2014 11:05 AM
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs
On 4/10/14, 11:53 AM, "Wessel, Keith" <kwessel at illinois.edu> wrote:
>If the IDP¹s private key was exposed (through connections to Apache
>connections to 8443), what could a hacker do with it? Could they
>intercept assertaions from our IDP and decrypt them? In short, what is
>the IDP key and cert used for?
The attacker who stole the key can impersonate your IdP, full stop. They can issue signed assertions as your IdP's identity.
That specific case, you really have no recourse, you're stuck with a key rollover and getting the old one revoked (that is, get it out of the metadata).
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users