On Sat, Jun 20, 2026 at 11:52 AM Job Snijders <[email protected]> wrote:

> On Sat, Jun 20, 2026 at 11:30:18AM -0500, Behcet Sarikaya wrote:
> > > > Section 3.4.4 SHA-1 SHA-1 as a cryptographic algorithm is
> > > > deprecated and should be phased out by Dec. 31, 2030
> > >
> > > In this context, SHA-1 is not used for cryptographic purposes.
> > >
> > > The CCR embedded integrity checksums and the content address references
> > > to objects outside the CCR all use SHA-256. See 'hashAlg' in section
> 3.2.
> > >
> > > This is what I found on my search:
> >
> > SHA-1 is no longer secure because it is vulnerable to "collision
> attacks,"
> > where two different inputs produce the exact same hash
> >
> > What would you say?
>
> Collisions are not relevant in this context. The tuple of (SHA-1 SKI,
> Manifest SIA) uniquely identifies the Certification Authority, in
> the original context part of a chain of RSA-2048 signatures, this is
> sufficient for the analytical purposes for which CCR is intended.
>
> More importantly, this CCR specification is not the place to redefine
> what constitues a Certificate KeyIdentifier in the RPKI context. The
> CCR standard merely aligns with the existing body of work around RPKI,
> specifically Section 4.8.2 of RFC 6487.
>
> Please note that the CCR embedded integrity checksums and the content
> address references to objects outside the CCR all use SHA-256. See
> 'hashAlg' in section 3.2.
>
> Kind regards,
>
> Job
>

I read all of the above.
Given so much concern on SHA-1 (remember the security review also was
concerned on this)
I suggest that you include some text from above, especially the first
paragraph in the most appropriate place in the draft.

Best regards,
Behcet
_______________________________________________
Gen-art mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to