Dyck, Lionel B. , TRA wrote:
We asked IBM support about implementing SHA2 for the SMP/E FTP download process
and was told to open an RFE. That seems kinda insane given that SHA-1 seems to
be heading to the heap of obsolete technologies.
Can anyone shed any light on this? Opening an RFE seems absurd given that this
is an industry standard for security that we are being forced into as I type
this and I'm sure we're not the only IBM customer who will be impacted by the
lack of SHA2 support.
<snip>
We understand the NIST recommendation to move off SHA-1 for
security-related purposes. However, our use of SHA-1 in this context
has nothing to do with security, and as far as I know it was never
intended to provide any. We are using SHA-1 just to be reasonably sure
that what we send over the wire is what you get from a data integrity
standpoint. (I wrote the ServerPac part of the design for Internet
delivery.)
As I hope everyone knows, we are shortly disallowing FTP connections at
our servers. The use of FTPS or HTTPS will be required to download z/OS
platform products and PTFs. Secure delivery using HTTPS or FTPS uses
different algorithms for securing the link, and happens to pass through
a package that has a SHA-1 hash of its content.
So...with all that in mind...what is the actual requirement here? Does
anyone think the probability of an undetected data integrity exposure is
too high because we're using SHA-1? Are auditors reflexively telling
you that any use of SHA-1 for anything at all is not acceptable whether
or not it's security related? Something else?
--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
