CWE ID 327:

Brent Putman putmanb at
Fri Sep 23 21:55:55 UTC 2022

On 9/23/22 1:24 AM, Nate Klingenstein wrote:
> Jeremy,
> The sad answer is that the SP can specify which cipher suites are 
> acceptable to it through the use of metadata, but few IdP's actually 
> honor it.  Shibboleth does.
> <>:
> e.g.
>       <md:EncryptionMethod 
> Algorithm=""/>

All true, but as I just noted in previous message, the original 
question here is about weak EC curves. Those aren't going to be an 
"algorithm" one indicates in metadata like that, since they are 
properties of the EC keys themselves.  However, the answer is easier.  
For encryption (to you) don't put a key with a weak curve in your 
metadata that you give to other parties. Done. For signing (by you), 
same answer.

For encryption (by you) and signature validation (signatures sent to 
you), you need local policy enforcement, like an algorithm 
include/exclude list (formerly known as whitelist/blacklist).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list