Without promising anything at all, please don't be too hasty to prejudge
the outcome of this dicussion. What I tried to ask is what the actual
requirement is.
The consensus seems to be that the actual requirement is "keep the
auditors happy [and by implication let us keep using internet-based
software delivery, because they set rules we have to follow] by making
any use of SHA-1 'go away' in this context."
That is not quite the same as it being (a) an actual security exposure
or (b) a system integrity exposure. That also does *not* make it
unimportant. I just want to be sure we are talking about the right things.
Suppose we went off on the path of providing digital signatures for z/OS
software packaging that Andrew Rowley brought up:
- Would a certificate-based signature do?
- What requirements would you have for certificates?
- Would you want signature verification to be optional?
- If signature verification were to be optional, would it be acceptable
to use the SHA-1 hash for integrity checking if the recipient chose not
to verify the signature? Or, would it still be necessary to use a
different algorithm?
- Anything else to think about?
Dyck, Lionel B. , TRA wrote:
What's going to happen is that IBM will not support SHA-2 (or -3) and every
shop with any degree of security (hipaa, sox, dod, ...) will cease to be able
to use the internet delivery option. Being told to create an RFE for something
that is obvious is troubling and to be told that it doesn't matter is worse.
This is not my first shop where auditors dictate a higher level of security
than most think required but they are following guidelines from someone higher
up that can't be argued with.
Somehow I don't think I'm the first to raise this nor will I be the last.
<snip>
--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
