Security fixes for opensaml2 and xmltooling
Scott Cantor
cantor.2 at osu.edu
Wed Sep 23 19:43:49 UTC 2009
Russ Allbery wrote on 2009-09-23:
> I concur -- my sense is that the problem with properly processing key
> use limitations is rare and won't matter for most sites (if for no other
> reason than that it assumes a level of care about how X.509 certificates
> are used that I rarely see in practice).
It's quite rare. Nobody splits key usage that I'm aware of, and the threat
here is actually to have an IdP split its keys and accidentally allow an
encryption key to have signed a message. Encryption *to* an IdP is rare as
it is, and the Shibboleth IdP doesn't even support it. And even if you did
all that, it's still presumably a key belonging to the IdP at the end of the
day.
It's unlikely that I would have even done an advisory for this issue alone,
if that helps.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list