On 10 Feb 2016, at 1:43 PM, Paul Wouters <p...@nohats.ca> wrote: > >> And for the digital signature method, why should we require SHA-1? > > Because it is very common to use right now. We cannot go from MUST to > MUST NOT.
No, but RFC 4307 says nothing about hashes in signatures (whether RSA(1) or digital signature(14)). So whatever we recommend here is new. This is even more true for digital signature(14) as we hardly have any legacy code to maintain backwards compatibility with[1]. Also, unlike in TLS, we did not tie signature algorithms in certificates to signature algorithms in the protocol, so it’s fine to insist on SHA2-256 in the protocol while accepting SHA1 in the certificate. At least it’s fine as far as IKE goes. This is important because there are all kinds of certificates and CAs that we have to work with, but I don’t believe there is any modern IKE implementation (definitely not one that has implemented RFC 7427) that does not support SHA2-256 at least. So ISTM that we should be fine recommending SHA2-256 at the MUST level with SHA1 in the SHOULD NOT level (to allow people who manage to interface old hardware modules to new IKE software) Yoav [1] "legacy code with which to maintain backwards compatibility"? _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec