Dear Colleagues,



Over the coming months, Shibboleth and other IdPs which understand algorithm agility metadata [1] will use stronger algorithms when encrypting assertions sent to certain SPs. I'd like to outline plans for how the UK federation will get there.



The first production change will happen on Tuesday 23 February, where we will add a default EncryptionMethod element to all SPs' metadata where there is no EncryptionMethod registered. This will apply to UK federation-registered SPs and to those imported from eduGAIN. You do not have to make any change and this will not affect the interoperation in the vast majority of cases.



The only situation where this will downgrade the strength of XML encryption requires all three of the following to be in effect:

- you must have already configured your IdP to use GCM as the default mode of encryption instead of CBC

- you must be interoperating with a SP that can handle GCM

- that SP's metadata does not include algorithm agility metadata.



We think this is unlikely. However, if you have changed default XML encryption method on your IdP, please contact the UK federation helpdesk at [log in to unmask], and we will provide details for how to mitigate the effect.



The second phase will focus on SPs. In the coming weeks and months, we'll be contacting SP operators to ask them to update their registrations with the encryption capabilities of their SP. Note that the majority of Shibboleth SPs registered by the UK federation already have algorithm agility metadata. Note also that the Shibboleth SP has a couple of features that make it easier for us to improve data quality of registered metadata, so we will be contacting Shibboleth SP owners first. If you operate a SP which does not use Shibboleth software, we advise you to contact your software vendor and ask how to determine the XML encryption capabilities of your software.



The third phase will be to help IdP operators to switch the default encryption method on their IdPs to GCM.



Regards,

Alex



[1] SAML v2.0 Metadata Profile for Algorithm Support Version 1.0

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0-cs01.html



—

Alex Stuart, Technical Development Manager (Trust and Identity)

[log in to unmask]











Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.





Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.





Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.





For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice



########################################################################



To unsubscribe from the JISC-SHIBBOLETH list, click the following link:

https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=JISC-SHIBBOLETH&A=1



This message was issued to members of www.jiscmail.ac.uk/JISC-SHIBBOLETH, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/