[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is there anyone still alive on this list?
Oh, and another thing, it might be a good idea for the spec to require some
sort of consistency in the use of hash algorithms, I've seen SCEP messages
where one part is signed with SHA-1 and another part with MD5, it doesn't
really make much sense to use a SHA-1 signed cert in a request that's signed
with MD5, if the CA doesn't support SHA-1 then it can't process the overall
message anyway, and if it does support SHA-1 then it doesn't make any sense to
still use MD5.
Is there *anything* that still doesn't support SHA-1? I realise that the
original Cisco enrolment protocol (proto-SCEP) using MD5 has been around for
10-15 years or so, but I think making MD5 a SHOULD NOT and SHA-1 a MUST would
be pretty safe by now. If things are updated, it'd also be good to update the
message format to CMS, which superseded PKCS #7 more than a decade ago, it
feels a bit anachronistic to still see references to single DES, MD5, and PKCS
#7 in a document dating from 2010.