IGTF and SHA-2

David KelseyTAGPMA meeting, SDSC

Feb 2012

SHA-2, TAGPMA 2

WLCG status

• Firstly – see slides from Maarten Litmaath about WLCG situation. SHA-2 and RFC proxies

Feb 2012

SHA-2, TAGPMA 3

Conclusion of discussion at EUGridPMA meeting Jan 2012

• migrating to SHA2 appears to be non-trivial, since it is convoluted with a move to RFC3820 style proxy certs

• There is still a bit of software out there that does not support RFC3820 proxies, and using libraries that support SHA-2 would necessitate the exclusive use of RFC proxies

• So there is a deadlock here• The presentation by DaveK (from Maarten Litmaath)

explains the dependencies and some wLCG considerations on the time line

Feb 2012

SHA-2, TAGPMA 4

Conclusions (2)

• We understand the complications, but at the same time the risk of using SHA-1 is increasing as more cryptanalysis is done

• Basically, it would not be beneficial to subscribers or RPs to start using SHA-2 now, knowing that many things will break, and a new risk analysis is needed, taking the deployment risks into account

• But at the same time the RAT and IGTF must develop a "Plan-B" in case SHA-1 is suddenly broken and we need to move to SHA-2 anyway, regardless of other consequences

Feb 2012

SHA-2, TAGPMA 5

EUGridPMA proposal on SHA-2

With regards to the introduction of SHA-2 the PMA now proposes to the IGTF the following:

• the RAT does a risk assessment of staying with SHA-1, in light of current cryptanalytic developments and the deployment issues identified

• if SHA-1 is broken, the RAT makes an immediate assessment based on the integrity of the subscriber certs, and will act regardless of RP deployment consequences

• we will NOT repeat NOT recommend CAs to move to SHA-2 for production use until the risk assessment completes

• noting that this provision ends in January 2013

Feb 2012

SHA-2, TAGPMA 6

Proposal (2)

• individual CAs MAY start issuing SHA-2 based certs on their own accord anyway (e.g. for testing, or to satisfy other needs)

• the date by which SHA-2 production certs may be issued will be NO LATER than January 2013

• and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way

• additional digest algorithms, in particular the successor to SHA-2 which is chosen this year, may ALSO be used in production certs in January 2013

• but will NOT be introduced before SHA-2 is recommended for general use

Feb 2012

SHA-2, TAGPMA 7

Further notes

• Note that SHA-2 is a family, so all of SHA256, SHA384 or SHA512 may be encountered in production certs following this date!

• The NIST competition for a new hash algorithm (the successor of the SHA-2 family) is completing in half a year.

• The new hash family (let's call it "SHA-3") will be available in implementations by the end of this year.

• RPs may expect the use of SHA-3 based certs early 2013, although not before SHA-2 is released for general use

• We urge software developers to be flexible in the use of cryptography, rely on upgradable (dynamic) libraries and not tie to a specific hash, key algorithm or key size

Feb 2012

SHA-2, TAGPMA 8

One final note

• All CAs are kindly asked to stop using emailAddress (or Email, or "E") attributes.

• Not only in subject names, but also in their issuer name. There are three CAs (IUCC, IHEP, APAC) that still have those

• There are no such CAs in TAGPMA(?)

Feb 2012