Shibboleth Identity Provider Security Advisory [4 October 2017]
Peter Schober
peter.schober at univie.ac.at
Thu Oct 5 11:16:35 EDT 2017
* Cantor, Scott <cantor.2 at osu.edu> [2017-10-05 15:27]:
> and relying on TLS instead of a signature is playing with fire to
> begin with.
Sure, which is why I wouldn't want to have to instruct metadata
consumers to also manually configure an extra TLS trust anchor only
because the *signed* metadata we're publishing is /also/ available via
HTTPS. Mostly because they might "forget" to configure our real trust
anchor -- the signature validation certificate -- after having
configured TLS trust anchor.
Today this is purely academic to me, as all our metadata URLs are
plain HTTP and all metadata is xmldsig-signed. But I wouldn't want to
dilute or conflate the all-important signature checking with
custom-TLS trust chain config.
-peter
More information about the users
mailing list