To improve security, WAYF is currently integrating a so-called hardware security module (an ‘HSM’) into its setup. Login traffic sent from WAYF to SPs and IdPs as well as WAYF metadata will in future be signed within the HSM — using private keys generated within the HSM — from where they will never be able to be exposed. With the HSM in place as WAYF's signing component, it will no longer be physically possible for anyone to steal WAYF's signing keys.
Initially, however, WAYF will put the HSM into operation using the current signing keys — which it is acutally possible to import into the box. But at some point, WAYF will start using HSM-generated keys in all of its signings — which will of course make it necessary for WAYF connected entities to replace the current WAYF signing certificate by a new one (featuring the new public key). Technical contacts at the connected organisations will be notified in due time.
More information on WAYF's hardware security module will be published on this page over time.