Who's supplying the keys?
Posted on Tuesday, 24 October 2023
A recent incident affecting a very small number of entities in the UK federation has surfaced issues arising from IdPs and SPs using default cryptographic keys. The risk of using a default key is that someone may impersonate you. As a Service Provider (SP) they may obtain information from an Identity Provider (IdP), whilst hard to achieve, it is not impossible. The risk of an IdP using a default key is that someone may impersonate your IdP almost trivially.
In the linked blog post, Jon Agland head of Trust & Identity technical services at Jisc, provides advice to both service providers (SP) and identity providers (IdP): https://trustandidentity.jiscinvolve.org/wp/2023/05/26/whos-supplying-the-keys/
Edited by SteveGlover on 24 October 2023, at 04:17 PM