CWE ID 327: AbstractNamedCurve.java:94
Nate Klingenstein
ndk at sudonym.me
Fri Sep 23 22:19:52 UTC 2022
>
> All true, but as I just noted in previous message, the original question
> here is about weak EC curves. Those aren't going to be an "algorithm" one
> indicates in metadata like that, since they are properties of the EC keys
> themselves.
>
Yes, absolutely. But if I were the SP in question, I would fear that
supplying just a strong EC key in metadata would be more likely to lead to
interoperability failures or unencrypted assertions with most IdP's, which
lack the code to deal with EC keys at all. The ideal may be the enemy of
the good in this instance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220923/605d2059/attachment.htm>
More information about the users
mailing list