Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Assurance and SHA-1/SHA-2

Subject: Assurance

List archive

Re: [Assurance] Assurance and SHA-1/SHA-2


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Assurance] Assurance and SHA-1/SHA-2
  • Date: Fri, 9 May 2014 21:04:49 +0000
  • Accept-language: en-US
On 5/9/14, 4:46 PM, "Tom Scavo"
<>
wrote:

>I blogged about this topic earlier this week:
>https://spaces.internet2.edu/x/AYbYAg

Just a comment about one of your comments. I think it would be much more
sensible to plan a global switchover for a V2 IdP to SHA-2 after the June
change in the metadata than to wait for V3. Nobody with a production V2
deploy is likely to be moving to V3 *that* rapidly, and since it's going
to default to SHA-2, getting V2 switched over to SHA-2 earlier eliminates
an entire class of concerns with moving to V3 later.

The best strategy in most cases is to stand up a second IdP instance
running SHA-2 (and your production config/keys/etc) and push test
transactions over to suspect vendor SPs that you can't count on the
behavior of, to determine how risky a move to SHA-2 will be in production.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page