CentOS/RHEL packages for - Shibboleth Service Provider Security Advisory [27 February 2018]

Cantor, Scott cantor.2 at osu.edu
Thu Mar 8 14:44:02 EST 2018

> Actually it's worse than that. An SP that supports XML encryption but does not
> support the seamless rollover of encryption keys is potentially worse than an
> SP that does not support encryption at all.

I would have agreed prior to this last month, but at this point, you turn it on and you deal with the breakage when it happens. Broken's better than insecure.

In any case, the question is not really "do they support?" but "is it being used?" and that's what Mike/et al were answering.

-- Scott

More information about the users mailing list