> On 2 Nov 2015, at 11:44 AM, Paul Wouters <p...@nohats.ca> wrote: > > On Mon, 2 Nov 2015, Yoav Nir wrote: > >> P.S. Someone’s asked me off-list whether there is any IPsecME document that >> says not to trust SHA-1 in signatures, both AUTH payload and certificates, >> the way the TLS 1.3 document may end up saying for TLS. I’m wondering if >> RFC4307bis might be the place for this, in particular the signature in AUTH >> payload. Just something to think about before we bikeshed.RFC4307bis >> Bikeshedding Session. > > We should have text to clarify the difference of algorithm use in > IKE/IPsec and in AUTH processing. Initial thought is that AUTH > processing crypto restrictions don't beling in 4307bis.
I think we do need some kind of statement along the lines: - With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says “SHOULD use SHA-1” and this is a document from only last year…) - Don’t use DSS because that is only defined with SHA-1. - With ECDSA no need to specify because each curve comes with a hash - PSK is fine because you are using a PRF. - With anything else, don’t use any hash weaker than SHA-256. If not here, where does this advice go? Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec