> On 2 Nov 2015, at 12:27 PM, Paul Wouters <p...@nohats.ca> wrote: > > On Mon, 2 Nov 2015, Yoav Nir wrote: > >>>> P.S. Someone’s asked me off-list whether there is any IPsecME document >>>> that says not to trust SHA-1 in signatures, both AUTH payload and >>>> certificates, the way the TLS 1.3 document may end up saying for TLS. I’m >>>> wondering if RFC4307bis might be the place for this, in particular the >>>> signature in AUTH payload. Just something to think about before we >>>> bikeshed.RFC4307bis Bikeshedding Session. >>> >>> We should have text to clarify the difference of algorithm use in >>> IKE/IPsec and in AUTH processing. Initial thought is that AUTH >>> processing crypto restrictions don't beling in 4307bis. >> >> I think we do need some kind of statement along the lines: >> - With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says >> “SHOULD use SHA-1” and this is a document from only last year…) >> - Don’t use DSS because that is only defined with SHA-1. >> - With ECDSA no need to specify because each curve comes with a hash >> - PSK is fine because you are using a PRF. >> - With anything else, don’t use any hash weaker than SHA-256. >> >> If not here, where does this advice go? > > I see your point. But for instance for X509 certificates, I really would > like to not make any statement and point to whatever equivalent of PKIX > documents there are on that. Does the TLS WG have any documents on > crypto agility for PKIX?
The TLS list currently has a thread about whether TLS 1.3 should prohibit SHA-1 only in signatures or also in the certificate chain. It’s not decided yet, but they *are* prohibiting SHA-1 in the protocol (CertificateVerify message), and current spec prohibits server certificate signed with SHA-1 (only EE certificate) when another certificate exists. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
