Shibboleth Identity Provider Security Advisory [4 October 2017]

Peter Schober peter.schober at
Thu Oct 5 11:16:35 EDT 2017

* Cantor, Scott <cantor.2 at> [2017-10-05 15:27]:
> and relying on TLS instead of a signature is playing with fire to
> begin with.

Sure, which is why I wouldn't want to have to instruct metadata
consumers to also manually configure an extra TLS trust anchor only
because the *signed* metadata we're publishing is /also/ available via
HTTPS. Mostly because they might "forget" to configure our real trust
anchor -- the signature validation certificate -- after having
configured TLS trust anchor.

Today this is purely academic to me, as all our metadata URLs are
plain HTTP and all metadata is xmldsig-signed. But I wouldn't want to
dilute or conflate the all-important signature checking with
custom-TLS trust chain config.


More information about the users mailing list