Assurance

[Tom Scavo <>]

On Fri, May 9, 2014 at 5:04 PM, Cantor, Scott 
<>
 wrote:
> On 5/9/14, 4:46 PM, "Tom Scavo" 
> <>
>  wrote:
>
>>I blogged about this topic earlier this week:
>>https://spaces.internet2.edu/x/AYbYAg
>
> Just a comment about one of your comments. I think it would be much more
> sensible to plan a global switchover for a V2 IdP to SHA-2 after the June
> change in the metadata than to wait for V3. Nobody with a production V2
> deploy is likely to be moving to V3 *that* rapidly, and since it's going
> to default to SHA-2, getting V2 switched over to SHA-2 earlier eliminates
> an entire class of concerns with moving to V3 later.

I could suggest such a strategy, I suppose, but apart from
Bronze/Silver, what is the incentive for an IdP operator to do that?

> The best strategy in most cases is to stand up a second IdP instance
> running SHA-2 (and your production config/keys/etc) and push test
> transactions over to suspect vendor SPs that you can't count on the
> behavior of, to determine how risky a move to SHA-2 will be in production.

I assume you mean an identical IdP (except for SHA-2 support) set up
on a new IP address. Then map the IdP's domain name to that IP address
using /etc/hosts on a test client machine. Right?

Tom