Shibboleth Identity Provider Security Advisory [4 October 2017]

Cantor, Scott cantor.2 at
Thu Oct 5 09:26:01 EDT 2017

> * Takeshi NISHIMURA <takeshi at> [2017-10-05 12:25]:
> > > And that will be the official position of the project to the
> > extent that we will stop supporting it in 4.0 to whatever extent
> > possible.
> >
> > Same will apply to metadata download URL?
> I wouldn't go that far.

I wouldn't either, but I haven't looked at the state of the configuration of the HTTP client on that side of the code. It doesn't generally come into play and relying on TLS instead of a signature is playing with fire to begin with.

-- Scott

More information about the users mailing list