On Mon, 2 Nov 2015, Yoav Nir wrote:
P.S. Someone’s asked me off-list whether there is any IPsecME document that
says not to trust SHA-1 in signatures, both AUTH payload and certificates, the
way the TLS 1.3 document may end up saying for TLS. I’m wondering if RFC4307bis
might be the place for this, in particular the signature in AUTH payload. Just
something to think about before we bikeshed.RFC4307bis Bikeshedding Session.
We should have text to clarify the difference of algorithm use in
IKE/IPsec and in AUTH processing. Initial thought is that AUTH
processing crypto restrictions don't beling in 4307bis.
I think we do need some kind of statement along the lines:
- With RSA signatures, use SHA-256 or better, not SHA-1 (BTW: 7296 says “SHOULD
use SHA-1” and this is a document from only last year…)
- Don’t use DSS because that is only defined with SHA-1.
- With ECDSA no need to specify because each curve comes with a hash
- PSK is fine because you are using a PRF.
- With anything else, don’t use any hash weaker than SHA-256.
If not here, where does this advice go?
I see your point. But for instance for X509 certificates, I really would
like to not make any statement and point to whatever equivalent of PKIX
documents there are on that. Does the TLS WG have any documents on
crypto agility for PKIX?
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
