[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is there anyone still alive on this list?



Oh, and another thing, it might be a good idea for the spec to require some 
sort of consistency in the use of hash algorithms, I've seen SCEP messages 
where one part is signed with SHA-1 and another part with MD5, it doesn't 
really make much sense to use a SHA-1 signed cert in a request that's signed 
with MD5, if the CA doesn't support SHA-1 then it can't process the overall 
message anyway, and if it does support SHA-1 then it doesn't make any sense to 
still use MD5.

Is there *anything* that still doesn't support SHA-1?  I realise that the 
original Cisco enrolment protocol (proto-SCEP) using MD5 has been around for 
10-15 years or so, but I think making MD5 a SHOULD NOT and SHA-1 a MUST would 
be pretty safe by now.  If things are updated, it'd also be good to update the 
message format to CMS, which superseded PKCS #7 more than a decade ago, it 
feels a bit anachronistic to still see references to single DES, MD5, and PKCS 
#7 in a document dating from 2010.

Peter.