John the bottom line is that, while it may not be a security exposure or a system integrity issue, it is an issue from the standpoint of auditors and centralized security organizations who dictate policy. Whether it is a private or public environment, we all have these organizations who have responsibility for security and then there are the regulators who can be more onerous.
A certificate based signature could be workable provided it didn't say SHA-1 (or any other deprecated encryption or security process). -------------------------------------------------------------------------- Lionel B. Dyck (Contractor) Mainframe Systems Programmer Enterprise Infrastructure Support (Station 200) (005OP6.3.10) VA OI&T Service Delivery & Engineering -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Eells Sent: Monday, May 16, 2016 3:22 PM To: [email protected] Subject: Re: [EXTERNAL] Re: smp/e sha-2 support? Without promising anything at all, please don't be too hasty to prejudge the outcome of this dicussion. What I tried to ask is what the actual requirement is. The consensus seems to be that the actual requirement is "keep the auditors happy [and by implication let us keep using internet-based software delivery, because they set rules we have to follow] by making any use of SHA-1 'go away' in this context." That is not quite the same as it being (a) an actual security exposure or (b) a system integrity exposure. That also does *not* make it unimportant. I just want to be sure we are talking about the right things. Suppose we went off on the path of providing digital signatures for z/OS software packaging that Andrew Rowley brought up: - Would a certificate-based signature do? - What requirements would you have for certificates? - Would you want signature verification to be optional? - If signature verification were to be optional, would it be acceptable to use the SHA-1 hash for integrity checking if the recipient chose not to verify the signature? Or, would it still be necessary to use a different algorithm? - Anything else to think about? Dyck, Lionel B. , TRA wrote: > What's going to happen is that IBM will not support SHA-2 (or -3) and every > shop with any degree of security (hipaa, sox, dod, ...) will cease to be able > to use the internet delivery option. Being told to create an RFE for > something that is obvious is troubling and to be told that it doesn't matter > is worse. This is not my first shop where auditors dictate a higher level of > security than most think required but they are following guidelines from > someone higher up that can't be argued with. > > Somehow I don't think I'm the first to raise this nor will I be the last. <snip> -- John Eells IBM Poughkeepsie [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
