Benefits of IdPv3 re: migration to SHA-2 signing

Nick Roy nroy at internet2.edu
Wed Aug 12 16:20:01 EDT 2015 

Thanks Scott, this helps a lot, and I'm right there with you on the need to get a codebase to a maintainable and extensible state or abandon it.  Had to totally re-write a couple large things from scratch for maintainability in the past.  The fact that v3 defaults to SHA-2 is significant, I think.

Best,

Nick



On 8/12/15, 10:34 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

>On 8/12/15, 11:49 AM, "users on behalf of Nick Roy" <users-bounces at shibboleth.net on behalf of nroy at internet2.edu> wrote:
>
>
>>
>>It looks like migration to SHA-2 signing is a lot easier (indeed, possible) in IdPv3.  Is that true?  Is SHA-2 signing the default, or must it be proactively configured in v3?
>
>It's the default, and the ability to selectively back off to SHA-1 is included, unlike in V2.
>
>>Is there a list of intrinsic security benefits of deploying IdPv3 (aside from it being the only way to get IdP security updates in the near future)?
>
>Security wasn't really a focus of the work (neither were features, despite the relatively long list of them). It sounds bad to a non-programmer, but the reality was that it was 2.5 years of work simply to produce a code base that wasn't impractical to extend. The choices were to rewrite it again, even if not a single feature was added, or mothball it.
>
>I suppose one thing that's sort of a security feature is that the problems with identity switching have been addressed. The IdP used to merge together logins from user A and B if they shared the same browser in a fairly questionable way that only made sense from a really pedantic point of view. V3 defaults to dumping an older session and replacing it with a new one if the identity switches, and you can also get it to just fail. Of course, that doesn't help user A when they're still logged into a dozen apps that the browser can access even if the IdP isn't one of them.
>
>More generally, we can get logout fully implemented eventually on top of this design, but I don't consider logout a security feature because I still believe it is fundamentally pointless and unreliable.
>
>-- Scott
>
>-- 
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list