Security Update and Deprecation Schedule for Early Versions of LTI
UPDATED MARCH 2020
In collaboration with IMS members, the IMS Security Framework was published in May 2019. The Security Framework is based upon the OAuth 2.0 and OpenID Connect specifications. This framework adopts state-of-the-art security techniques and best practices and includes protection against known potential issues such as Cross-Site Request Forgery (CSRF). A number of IMS specifications have already aligned to the Security Framework, in particular, IMS Learning Tools Interoperability® (LTI) 1.3 and LTI Advantage.
In keeping with its commitment to data privacy and security, in February 2018, IMS announced the timeline for the deprecation of the use of SHA-1 with OAuth 1.0a such that no certifications using that approach will be available after 31 December 2019. That announcement had implications for certifications to the LTI 1.0 and 1.1 specifications.
Now, with the publication and adoption of the IMS Security Framework, IMS formally deprecates the use of OAuth 1.0a across all IMS specifications. Therefore, certification to the LTI 1.0, 1.1, 1.2, and 2.0 specifications and related services are being deprecated. See the LTI Support and Deprecation Schedule below.
IMS is very pleased that its new Security Framework and the latest LTI Core version 1.3 (a key part of LTI Advantage) based on OAuth 2, JSON web tokens and the Open ID Connect workflow, make LTI Advantage the most secure integration option available.
Retrofitting a Security Update in Early LTI Versions
Transitioning to LTI 1.3 is strongly encouraged, but for organizations that decide not to upgrade LTI versions, IMS is providing a security update for selected legacy versions of LTI. These updated specifications, along with implementation guidance and IMS certification, are designated as 1.0.1 and 1.1.2 and are planned to be available for certification through mid-year 2022. After that time, LTI 1.3 and its successor will be the minimum versions eligible for IMS certification. The LTI Security Update patch document for LTI versions 1.0.1 and 1.1.2 is now available.
The OpenID Connect workflow in LTI Advantage is a step-increase in security protection and involves a substantial change to the trust-orchestration between a platform and tool. Implementers should choose to upgrade to LTI 1.3 and LTI Advantage in concert with these security upgrades because of the many additional feature benefits it provides. LTI 1.3 and the LTI Advantage services are the best options for roadmap planners.
Leading platform and tools suppliers are already LTI Advantage certified or near completion of their certification. Their ability to move forward rapidly was made possible by a fully-functional LTI Advantage Reference Implementation made available to IMS members and the public for use as a design and coding model and a live testing proxy. IMS Global recommends product suppliers adopt LTI 1.3 and LTI Advantage to achieve their features and security benefits.
IMS and its members are committed to the highest levels of privacy, security, and transparency in data handling. Risks cannot be avoided entirely but substantially mitigated through the exercise of due diligence, which includes keeping your learning products up to date with the latest and most secure versions of LTI. IMS staff are poised to help members enhance their security and upgrade to the current versions of LTI. If you are interested in learning more, have questions, or need guidance, we suggest you join a future LTI Roundtable discussion held on the fourth Tuesday of every month. You will find meeting details in the IMS events calendar.
LTI Support and Deprecation Schedule
|LTI Version||Date of the Last New Certification||Date of the Last Recertification||Certification Valid Through*||
|1.0.1||Basic Launch with Updated Security||6/30/2020||06/30/2021||06/30/2022|
|1.1||Basic Outcomes||12/31/2019||12/31/2020||12/31/2021||Deprecated, and related services**|
|1.1.1||Minor update to roles||12/31/2019||12/31/2019||12/31/2020||Deprecated|
|1.1.2||Basic Outcomes with Updated Security||06/30/2020||06/30/2021||06/30/2022|
|1.2||Tool Consumer Profile||12/31/2019||12/31/2019||12/31/2020||Deprecated|
|1.3||LTI Advantage Core (currently LTI 1.3)||Ongoing||Ongoing||Ongoing||Recommended LTI Version|
|2.0||Tool Consumer, Proxy and Auto-Registration||12/31/2019||12/31/2019||
|*||Certifications and recertifications have a minimum 12-month validity period and therefore may be active and valid for up to 12 months after certification.|
Associated LTI services that are also to be deprecated, Deep Linking v1.0, Names and Role Provisioning Service v1.0, Basic Outcomes v1.0.
If you have any questions related to this announcement, please contact IMS Global at firstname.lastname@example.org.