Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default signing algorithm should be SHA-256? #269

Closed
timabbott opened this issue Feb 20, 2020 · 2 comments
Closed

Default signing algorithm should be SHA-256? #269

timabbott opened this issue Feb 20, 2020 · 2 comments

Comments

@timabbott
Copy link

It looks like the default/recommended signatureAlgorithm in the documentation uses SHA-1, which is no longer considered secure. Can this be changed to SHA-256?

        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
@timabbott timabbott mentioned this issue Feb 20, 2020
Closed
@pitbulk
Copy link
Contributor

pitbulk commented Feb 21, 2020

I updated the doc and settings. The default value if the setting parameter is not provided still gonna be sha1 for backward compatibility.

@timabbott
Copy link
Author

OK -- I'd encourage you to change that default and just document the change in the release notes. I don't think backward-compatibility is a good reason to default to a known insecure algorithm (which basically means all downstream projects, like python-social-auth which uses the default SECURITY settings, will be insecure).

If you're not able to change the default here, I guess I'll open an issue with python-social-auth for them to fix it.

@timabbott timabbott mentioned this issue Oct 20, 2021
Closed
@mateuszmandera mateuszmandera mentioned this issue Oct 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @timabbott