I am not at an end-user shop but I think we are not dealing with rationality here, we are dealing with voodoo. SHA-1 is bad juju. End of story. If the distribution server were NAMED SHA1 it would be a problem.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Eells Sent: Monday, May 16, 2016 1:22 PM To: [email protected] Subject: Re: [EXTERNAL] Re: smp/e sha-2 support? Without promising anything at all, please don't be too hasty to prejudge the outcome of this dicussion. What I tried to ask is what the actual requirement is. The consensus seems to be that the actual requirement is "keep the auditors happy [and by implication let us keep using internet-based software delivery, because they set rules we have to follow] by making any use of SHA-1 'go away' in this context." That is not quite the same as it being (a) an actual security exposure or (b) a system integrity exposure. That also does *not* make it unimportant. I just want to be sure we are talking about the right things. Suppose we went off on the path of providing digital signatures for z/OS software packaging that Andrew Rowley brought up: - Would a certificate-based signature do? - What requirements would you have for certificates? - Would you want signature verification to be optional? - If signature verification were to be optional, would it be acceptable to use the SHA-1 hash for integrity checking if the recipient chose not to verify the signature? Or, would it still be necessary to use a different algorithm? - Anything else to think about? Dyck, Lionel B. , TRA wrote: > What's going to happen is that IBM will not support SHA-2 (or -3) and every shop with any degree of security (hipaa, sox, dod, ...) will cease to be able to use the internet delivery option. Being told to create an RFE for something that is obvious is troubling and to be told that it doesn't matter is worse. This is not my first shop where auditors dictate a higher level of security than most think required but they are following guidelines from someone higher up that can't be argued with. > > Somehow I don't think I'm the first to raise this nor will I be the last. <snip> -- John Eells IBM Poughkeepsie [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
