The creds directory in the 3.0.0-alpha1 distribution includes files containing private keys (actually, one private key repeated in two files).
We MUST ensure that this does not occur for subsequent alpha releases and of course the final release. Sure as eggs is eggs, someone will make use of this key in a production environment. You may not believe that anyone would do this, but I can assure you that it will happen. For example, we know that simpleSAMLphp shipped with a default key for some time, and multiple entities ended up using that key in production. We only discovered this when hunting down 1024-bit keys at the end of 2013.
I have the technology in the UK federation tooling to blacklist keys, and as a precaution I have blacklisted this one. However, other federations are not so well equipped and may be vulnerable. We should not be making the job of federation operators harder.
The
credsdirectory in the 3.0.0-alpha1 distribution includes files containing private keys (actually, one private key repeated in two files).We MUST ensure that this does not occur for subsequent alpha releases and of course the final release. Sure as eggs is eggs, someone will make use of this key in a production environment. You may not believe that anyone would do this, but I can assure you that it will happen. For example, we know that simpleSAMLphp shipped with a default key for some time, and multiple entities ended up using that key in production. We only discovered this when hunting down 1024-bit keys at the end of 2013.
I have the technology in the UK federation tooling to blacklist keys, and as a precaution I have blacklisted this one. However, other federations are not so well equipped and may be vulnerable. We should not be making the job of federation operators harder.