Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Assurance and SHA-1/SHA-2

Subject: Assurance

List archive

Re: [Assurance] Assurance and SHA-1/SHA-2


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Assurance] Assurance and SHA-1/SHA-2
  • Date: Fri, 9 May 2014 23:28:48 +0000
  • Accept-language: en-US

On 5/9/14, 6:35 PM, "Tom Scavo"
<>
wrote:
>
>I could suggest such a strategy, I suppose, but apart from
>Bronze/Silver, what is the incentive for an IdP operator to do that?

I would hope "SHA-1 is failing" would be adequate incentive or they should
just stop operating one, but apart from that, if they ever intend to
upgrade they'll have to deal with it then, or adjust defaults to leave
things as they are. If they really don't care, they probably won't upgrade
either and you're probably correct that it's moot.

>I assume you mean an identical IdP (except for SHA-2 support) set up
>on a new IP address. Then map the IdP's domain name to that IP address
>using /etc/hosts on a test client machine. Right?

No, I mean push assertions over from the new IdP using IdP-initiated. You
don't have to manipulate /etc/hosts for that. Could even run the second
IdP on the same host as the original, give it a different context path and
it won't interfere at all.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page