SECURITY BULLETIN
Deprecation Notice for SHA-1 Hash Algorithm
February 2018
1EdTech has decided to deprecate the use of SHA-1 in its standards like Learning Tools Interoperability® (LTI)® and OneRoster® as the majority of education technology organizations are indicating a desire for use of a more robust encryption algorithm.
A transition period is provided as described below:
New Certifications
All new product certifications after July 1, 2018, must support SHA-256 and we recommend they also support SHA-1 for backward compatibility during the transition period. The specifications affected by this are:
● LTI 1.1 Tool Consumer
● LTI 1.1 Tool Provider
● LTI Deep Linking Message (formerly known as Content Item)
● OneRoster 1.0 Service Provider - no new certifications to OneRoster 1.0 will be permitted
● OneRoster 1.0 Service Consumer - no new certifications to OneRoster 1.0 will be permitted
● OneRoster 1.1 Service Provider
● OneRoster 1.1 Service Consumer
Recertifications
Recertifications after January 1, 2019, must support SHA-256 and we recommend they also support SHA-1 for backward compatibility during the transition period.
● LTI 1.1 Tool Consumer
● LTI 1.1 Tool Provider
● LTI Deep Linking Message (formerly known as Content Item)
● OneRoster 1.0 Service Provider - no recertifications to OneRoster 1.0 will be permitted
● OneRoster 1.0 Service Consumer - no recertifications to OneRoster 1.0 will be permitted
● OneRoster 1.1 Service Provider
● OneRoster 1.1 Service Consumer
Final Deprecation
Effective January 1, 2020, SHA-1 must not be used and will no longer be certified.
1EdTech is publishing an ecosystem-wide security framework based upon OAuth 2 which is implemented in its latest released standards such as LTI Advantage.