I have seen specific customer pushback against SHA-1. Serious "you need to change this" pushback, not "we were just wondering."
"SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[3] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[4][5][6] Microsoft,[7] Google[8] and Mozilla[9][10][11] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017." -- https://en.wikipedia.org/wiki/SHA-1 That sounds to me like an integrity APAR waiting to happen. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Mark Post Sent: Friday, May 13, 2016 2:31 PM To: [email protected] Subject: Re: smp/e sha-2 support? >>> On 5/13/2016 at 03:21 PM, "Dyck, Lionel B. (TRA)" <[email protected]> wrote: > We asked IBM support about implementing SHA2 for the SMP/E FTP > download process and was told to open an RFE. That seems kinda insane > given that SHA-1 seems to be heading to the heap of obsolete technologies. > > Can anyone shed any light on this? Opening an RFE seems absurd given > that this is an industry standard for security that we are being > forced into as I type this and I'm sure we're not the only IBM > customer who will be impacted by the lack of SHA2 support. > > Thanks - just something for the weekends discussion If SHA-1 is obsolete, and I think it is, and were I an IBM customer, I would possibly try opening an Integrity APAR with the support center. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
