Who's supplying the keys?

Posted on Tuesday, 24 October 2023

A recent incident affecting a very small number of entities in the UK federation has surfaced issues arising from IdPs and SPs using default cryptographic keys. The risk of using a default key is that someone may impersonate you. As a Service Provider (SP) they may obtain information from an Identity Provider (IdP), whilst hard to achieve, it is not impossible. The risk of an IdP using a default key is that someone may impersonate your IdP almost trivially.

In the linked blog post, Jon Agland head of Trust & Identity technical services at Jisc, provides advice to both service providers (SP) and identity providers (IdP): https://trustandidentity.jiscinvolve.org/wp/2023/05/26/whos-supplying-the-keys/

Edited by SteveGlover on 24 October 2023, at 04:17 PM