Getting a grasp on Heartbleed and IDPs

Cantor, Scott cantor.2 at
Tue Apr 15 12:36:56 EDT 2014

On 4/15/14, 11:01 AM, "Liam Hoekenga" <liamr at> wrote:
>Would it be reasonable to consider using the front channel / browser
>facing cert to secure the backchannel?


>What would be the downside?

Many, starting with the fact that it changes every year or two, and that
often results in the key changing perodically. It's also non-self-signed,
which triggers bad side effects in a lot of other implementations.

>  (The calling SP would have to have the CA cert that was being used,

Not Shibboleth. Others yes, maybe, possibly. That's the point. It solves
nothing and breaks lots of things.

-- Scott

More information about the users mailing list