wish: warn on insecure algorithms

[markstos]

Hello,

I maintain the passport-saml library which has this library as a dependency.

We'd also like to move away from insecure algorithms. However, a SAML service provider may integrate with dozens of Identity providers. How can we know if insecure algorithms are in use? It seems simply disabling them may break some integrations.

It would be helpful if there was an option to allow insecure algorithms as before, but issue a warning if they are used. This change would be safe to deploy and would allow collecting log data to see if any integrations are using insecure algorithms. We could then notify our partners about the problem so that we could later disable the insecure algorithms without breaking anything.

Describe the ideal solution

One option is to always start issuing warning if insecure algorithms are used.

Another option is to add a boolean flag to opt-in (or out) of having the warnings be issued.

Thanks!

[gkwang]

@markstos would console.warn() suffice or do you have other approaches in mind?

[markstos]

@gkwang console.warn() would be sufficient. That will generate log output I can search through.

Thanks.

[gkwang]

This is now included in the v1.1.0 release.

[markstos]

Related ticket for passport-saml: node-saml/passport-saml#429