Shibboleth Identity Provider Security Advisory [4 October 2017]
Cantor, Scott
cantor.2 at osu.edu
Thu Oct 5 09:26:01 EDT 2017
> * Takeshi NISHIMURA <takeshi at nii.ac.jp> [2017-10-05 12:25]:
> > > And that will be the official position of the project to the
> > extent that we will stop supporting it in 4.0 to whatever extent
> > possible.
> >
> > Same will apply to metadata download URL?
>
> I wouldn't go that far.
I wouldn't either, but I haven't looked at the state of the configuration of the HTTP client on that side of the code. It doesn't generally come into play and relying on TLS instead of a signature is playing with fire to begin with.
-- Scott
More information about the users
mailing list