Potential concern of users viewing ltijs as an LTI "shim"

[danny-does-stuff]

I am very grateful for your work with ltijs and providing great open source software! I wanted to bring this to your attention in case it may be something you would like to be aware of.

I came across this document put out by 1EdTech advising against the use of what they call "LTI shims". It defines a shim as "an intermediary piece of software that bridges the connection between two systems". It goes on to explain that a "platform-hosted" or "tool-hosted" shim is ok, but that "Third Party" shims pose various security risks and should be avoided by educational tools.

I believe that ltijs fits their definition of a "shim", and that it falls squarely into the "tool-hosted shim" category. This means that it is not the type of software that 1EdTech is advising against, but potential users may still be wary of any type of shim, and therefore be more wary of ltijs.

There's nothing really actionable here, this is simply something that I came across today and thought it may be valuable for you to know as well! The document goes on to say that "In 2024, the certification process will be strengthened to add additional checks to ensure the LTI 1.3 connection for a tool is direct to the tool and not via 3rd party providers." I hope you find this information useful, and thanks again for this great open source solution!