Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >also the private CAs using SHA-1 will need to switch to SHA-2 to regain >interoperability, despite no actual risk from SHA-1.
Another problem with moving to SHA-2 is that when you have a lot of gear that only does SHA-1, you need to run parallel PKIs possibly in perpetuity, one using SHA-1 and the other SHA-2. For example if you're signing CRLs then you have SHA-2-signed ones and SHA-1-signed ones, and then the CA/signing certs in turn have to be signed with SHA-1 or SHA-2, and the CA certs for those have to be SHA-1 or SHA-2, and you can see what a headache that ends up being, not just in terms of running two PKIs but also the fact that you've now got lots of apparently duplicated certs that differ only in their hash algorithm. Or you can use different keys, but now you also need to change the DNs otherwise sigs on the SHA-1 branch won't verify on the SHA-2 branch. No matter how you look at it, you end up with a mess. (Luckily this sort of thing is Someone Else's Problem, and I don't envy them for it). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
