SECURITY BULLETIN

Deprecation Notice for SHA-1 Hash Algorithm

February 2018

1EdTech has decided to deprecate the use of SHA-1 in its standards like Learning Tools Interoperability^® (LTI)^® and OneRoster^® as the majority of education technology organizations are indicating a desire for use of a more robust encryption algorithm.

A transition period is provided as described below:

New Certifications

All new product certifications after July 1, 2018, must support SHA-256 and we recommend they also support SHA-1 for backward compatibility during the transition period.  The specifications affected by this are:

●     LTI 1.1 Tool Consumer

●     LTI 1.1 Tool Provider

●     LTI Deep Linking Message (formerly known as Content Item)

●     OneRoster 1.0 Service Provider - no new certifications to OneRoster 1.0 will be permitted

●     OneRoster 1.0 Service Consumer - no new certifications to OneRoster 1.0 will be permitted

●     OneRoster 1.1 Service Provider

●     OneRoster 1.1 Service Consumer

Recertifications

Recertifications after January 1, 2019, must support SHA-256 and we recommend they also support SHA-1 for backward compatibility during the transition period.

●     LTI 1.1 Tool Consumer

●     LTI 1.1 Tool Provider

●     LTI Deep Linking Message (formerly known as Content Item)

●     OneRoster 1.0 Service Provider - no recertifications to OneRoster 1.0 will be permitted

●     OneRoster 1.0 Service Consumer - no recertifications to OneRoster 1.0 will be permitted

●     OneRoster 1.1 Service Provider

●     OneRoster 1.1 Service Consumer

Final Deprecation

Effective January 1, 2020, SHA-1 must not be used and will no longer be certified.

1EdTech is publishing an ecosystem-wide security framework based upon OAuth 2 which is implemented in its latest released standards such as LTI Advantage.