On Wed, 23 Nov 2016, John Mattsson wrote:
One question, currently SHA-1 signature are not only allowed by RFC7296, but even "SHOULD use as default”. 4307bis does not change this. Shouldn’t something be done about this. Right now (and even with 4307bis):
From Section 4 of the bis document:
IKEv2 authentication may involve a signatures verification. Signatures may be used to validate a certificate or to check the signature of the AUTH value. Cryptographic recommendations regarding certificate validation are out of scope of this document. What is mandatory to implement is provided by the PKIX Community. This document is mostly concerned on signature verification and generation for the authentication.
RSASSA-PKCS1-v1.5 with SHA-1 is MUST support and everything else (PSS+SHA-2, ECSDA+SHA-2) is just SHOULD (not even SHOULD+) and PKCS1-v1.5+SHA-2 is MAY.
Because we are hoping to obsolete everything for Digital Signatures as per RFC7427. We did not make that a SHOULD+ because it has not yet seen wide deployment.
This does not seem good even short term... Feels like at a minimum, some authentication method with SHA-2 should be mandatory to support.
Perhaps we should make it SHOULD+ and make RSA MUST- to make that more clear? But I'd like to hear from others before doing that. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
