I agree with Geoff re the use of SHA-1 vs. SHA-256.
SHA-1 is called out in 3280 for SKI/AKI, although one could use other hash algorithms (or non-hash algorithms) for this purpose. My guess is that most CA software supports this. There seem to be no serious security problems arising from use of SHA-1 here. In contrast, we have been advised to migrate to SHA-256 for cert signatures, at least until NIST certifies a replacement. So, it makes sense to call for SHA-256 in that context, and I have been told that software for SHA-256 support for signatures is available as well.
_______________________________________________ Sidr mailing list [email protected] https://www1.ietf.org/mailman/listinfo/sidr
