SP entityID from multiple metadata sources

Cantor, Scott cantor.2 at osu.edu
Thu May 7 15:22:58 EDT 2015

On 5/7/15, 3:07 PM, "Paul Engle" <pengle at rice.edu> wrote:
>Oh no, I know it's not required. But we're going to have to dump the
>SHA1 certs eventually. And it's a lot easier to get people understand
>possible disruption because we're doing a major upgrade of the software
>than to try to explain the vagaries of encryption technologies to them
>later on.

It's somewhat risky either way because it tends to create FUD around the change (look at this mess V3 has caused), but that aside, Shibboleth per se does not use SHA-1 in those certs, it's meaningless. Obviously other software does. But you can avoid a good amount of impact by reusing the same key and just changing the certificate.

-- Scott

More information about the users mailing list