Forgot the link… > On 2 Nov 2015, at 12:38 PM, Yoav Nir <ynir.i...@gmail.com> wrote: > > >> On 2 Nov 2015, at 12:27 PM, Paul Wouters <p...@nohats.ca> wrote: >> >> On Mon, 2 Nov 2015, Yoav Nir wrote: >> >>>>> P.S. Someone’s asked me off-list whether there is any IPsecME document >>>>> that says not to trust SHA-1 in signatures, both AUTH payload and >>>>> certificates, the way the TLS 1.3 document may end up saying for TLS. I’m >>>>> wondering if RFC4307bis might be the place for this, in particular the >>>>> signature in AUTH payload. Just something to think about before we >>>>> bikeshed.RFC4307bis Bikeshedding Session. >>>> >>>> We should have text to clarify the difference of algorithm use in >>>> IKE/IPsec and in AUTH processing. Initial thought is that AUTH >>>> processing crypto restrictions don't beling in 4307bis. >>> >>> I think we do need some kind of statement along the lines: >>> - With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says >>> “SHOULD use SHA-1” and this is a document from only last year…) >>> - Don’t use DSS because that is only defined with SHA-1. >>> - With ECDSA no need to specify because each curve comes with a hash >>> - PSK is fine because you are using a PRF. >>> - With anything else, don’t use any hash weaker than SHA-256. >>> >>> If not here, where does this advice go? >> >> I see your point. But for instance for X509 certificates, I really would >> like to not make any statement and point to whatever equivalent of PKIX >> documents there are on that. Does the TLS WG have any documents on >> crypto agility for PKIX? > > The TLS list currently has a thread about whether TLS 1.3 should prohibit > SHA-1 only in signatures or also in the certificate chain.
https://mailarchive.ietf.org/arch/msg/tls/-1LxtUHZTQXvvMVsLR4jzp79q9E > > It’s not decided yet, but they *are* prohibiting SHA-1 in the protocol > (CertificateVerify message), and current spec prohibits server certificate > signed with SHA-1 (only EE certificate) when another certificate exists. > > Yoav > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec