And anyone that thinks Auditors don't set policy and rules hasn't worked in the commercial environment for a while. Let alone the fact of having to train PCI Auditors that the Mainframe isn't just a slightly bigger PC or Windows server. Some shops could best be summarized as "What the Auditor Wants - The Auditor Gets (Even if it makes no sense at all)"
Even though John is absolutely correct on the implications of using SHA1 for the purposes of receiving patches - the knee jerk reaction is "SHA1 has been superseded as its insecure - everyone must move to SHA2" (unsaid is even though it makes no sense for what the purpose is) Jerry Whitteridge Manager Mainframe Systems & Storage Albertsons - Safeway Inc. 925 738 9443 Corporate Tieline - 89443 If you feel in control you just aren't going fast enough. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Dyck, Lionel B. (TRA) Sent: Monday, May 16, 2016 12:26 PM To: [email protected] Subject: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? What's going to happen is that IBM will not support SHA-2 (or -3) and every shop with any degree of security (hipaa, sox, dod, ...) will cease to be able to use the internet delivery option. Being told to create an RFE for something that is obvious is troubling and to be told that it doesn't matter is worse. This is not my first shop where auditors dictate a higher level of security than most think required but they are following guidelines from someone higher up that can't be argued with. Somehow I don't think I'm the first to raise this nor will I be the last. -------------------------------------------------------------------------- Lionel B. Dyck --- Opinions expressed are my own and not my employer --- -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Phil Smith III Sent: Monday, May 16, 2016 10:48 AM To: [email protected] Subject: [EXTERNAL] Re: smp/e sha-2 support? Charles Mills wrote: >I suspect you've got a problem, however. There's a saying in sales >"when you >explain, you lose." I can hear auditors saying "SHA-1 -- no good -- security >exposure" and I would not want to be the one explaining what you say >below >to them. >Perhaps I underestimate IT auditors. I just know the "buzzword kneejerk" >problem. I reluctantly have to support this position (not because I don't generally agree with Charles, but because it flies in the face of reason). "Trouble is, sheep are very dim. Once they get an idea in their 'eads, there's no shiftin' it." Same applies to far too many auditors/QSAs/et al. SHA-1 is dead; "good enough" or not, there's no reason to use it any more, given that SHA-2 (and, hey, SHA-3!) exist, eh? .phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ________________________________ Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ________________________________ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
