random issues with idp 3.4.1

Paul B. Henson henson at cpp.edu
Wed Dec 5 14:35:40 EST 2018

> From: Cantor, Scott
> Sent: Wednesday, December 5, 2018 6:28 AM
> The new setting is commented out by default, no?

Yes, but the only description in the configuration file is "To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM"; so to me it was basically "Stronger encryption? Sign me up!" ;).

> since it was added late. If you can't find it in the wiki with a simple search,
> that would be a problem.

I must confess I didn't search for it in the wiki, because it didn't seem very complicated. Enable stronger encryption, or use weaker encryption 8-/. Preferably while a fair number of providers don't support it, it would be nice to have a comment in the configuration file itself mentioning potential compatibility issues if turned on.

> There wasn't a lot about the new property in the body of the documentation, so I fleshed it out a bit.

Cool, thanks.

> We are considering making GCM the V4 default because CBC has been broken for many years and most of the broken systems are cloud SPs for 
> which metadata has to be manual anyway, and it's easy to toggle them back to CBC with the metadata

The ones that broke for me were a mix of hardcoded metadata and ones with metadata in the Federation; but I see you can override it in relying party config as well. Maybe by the time V4 comes out fewer providers will be broken (holding breath, turning blue 8-/ ).

Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list