Order of preference for Encryption Algorithm

[daserzw]

"SAML v2.0 Metadata Profile for Algorithm Support Version 1.0" specification states that if "multiple md:EncryptionMethod elements identifying algorithms of the same general type are present, they MUST be listed in order of preference by the entity". This is currently not permitted by Jagger, but what is worse is that the default listing is in the order of the least secure to the most one, which of course is not the order of preference.

A simple and quick fix would be to sort the current array from the most secure to the less one in:

application/helpers/metadata_elements_helper.php

Davide Vaghetti

[alexstuart]

Davide's proposed solution seems to be a good way forward.

I have a concern about re-ordering the array if an existing entity registers encryption algorithms that it doesn't support. There's the potential for the re-ordering to put an unsupported algorithm into first preference.

To mitigate this, you need good documentation about the what the EncryptionMethod checkboxes do, and good release notes for deployers to warn during an upgrade. I'm happy to review those when you address this issue.

[alexstuart]

@janul is there any movement on this issue? metadata which shows an insecure ordering of algorithms is still being published by new deployers of your software.