Benefits of IdPv3 re: migration to SHA-2 signing

[Cantor, Scott]

On 8/12/15, 11:49 AM, "users on behalf of Nick Roy" <users-bounces at shibboleth.net on behalf of nroy at internet2.edu> wrote:


>
>It looks like migration to SHA-2 signing is a lot easier (indeed, possible) in IdPv3.  Is that true?  Is SHA-2 signing the default, or must it be proactively configured in v3?

It's the default, and the ability to selectively back off to SHA-1 is included, unlike in V2.

>Is there a list of intrinsic security benefits of deploying IdPv3 (aside from it being the only way to get IdP security updates in the near future)?

Security wasn't really a focus of the work (neither were features, despite the relatively long list of them). It sounds bad to a non-programmer, but the reality was that it was 2.5 years of work simply to produce a code base that wasn't impractical to extend. The choices were to rewrite it again, even if not a single feature was added, or mothball it.

I suppose one thing that's sort of a security feature is that the problems with identity switching have been addressed. The IdP used to merge together logins from user A and B if they shared the same browser in a fairly questionable way that only made sense from a really pedantic point of view. V3 defaults to dumping an older session and replacing it with a new one if the identity switches, and you can also get it to just fail. Of course, that doesn't help user A when they're still logged into a dozen apps that the browser can access even if the IdP isn't one of them.

More generally, we can get logout fully implemented eventually on top of this design, but I don't consider logout a security feature because I still believe it is fundamentally pointless and unreliable.

-- Scott