CWE ID 327: AbstractNamedCurve.java:94
Brent Putman
putmanb at georgetown.edu
Fri Sep 23 21:55:55 UTC 2022
On 9/23/22 1:24 AM, Nate Klingenstein wrote:
> Jeremy,
>
> The sad answer is that the SP can specify which cipher suites are
> acceptable to it through the use of metadata, but few IdP's actually
> honor it. Shibboleth does.
>
> 2.4.1.1 <http://2.4.1.1>:
>
> https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
>
> e.g.
>
> https://samltest.id/saml/sp
>
> <md:EncryptionMethod
> Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
>
All true, but as I just noted in previous message, the original
question here is about weak EC curves. Those aren't going to be an
"algorithm" one indicates in metadata like that, since they are
properties of the EC keys themselves. However, the answer is easier.
For encryption (to you) don't put a key with a weak curve in your
metadata that you give to other parties. Done. For signing (by you),
same answer.
For encryption (by you) and signature validation (signatures sent to
you), you need local policy enforcement, like an algorithm
include/exclude list (formerly known as whitelist/blacklist).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220923/50ba4a06/attachment.htm>
More information about the users
mailing list