IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012

WLCG status Firstly – see slides from Maarten Litmaath about WLCG situation. SHA-2 and RFC proxies Feb 2012SHA-2, TAGPMA2

Conclusion of discussion at EUGridPMA meeting Jan 2012 migrating to SHA2 appears to be non-trivial, since it is convoluted with a move to RFC3820 style proxy certs There is still a bit of software out there that does not support RFC3820 proxies, and using libraries that support SHA-2 would necessitate the exclusive use of RFC proxies So there is a deadlock here The presentation by DaveK (from Maarten Litmaath) explains the dependencies and some wLCG considerations on the time line Feb 20123SHA-2, TAGPMA

Conclusions (2) We understand the complications, but at the same time the risk of using SHA-1 is increasing as more cryptanalysis is done Basically, it would not be beneficial to subscribers or RPs to start using SHA-2 now, knowing that many things will break, and a new risk analysis is needed, taking the deployment risks into account But at the same time the RAT and IGTF must develop a "Plan-B" in case SHA-1 is suddenly broken and we need to move to SHA-2 anyway, regardless of other consequences Feb 20124SHA-2, TAGPMA

EUGridPMA proposal on SHA-2 With regards to the introduction of SHA-2 the PMA now proposes to the IGTF the following: the RAT does a risk assessment of staying with SHA-1, in light of current cryptanalytic developments and the deployment issues identified if SHA-1 is broken, the RAT makes an immediate assessment based on the integrity of the subscriber certs, and will act regardless of RP deployment consequences we will NOT repeat NOT recommend CAs to move to SHA-2 for production use until the risk assessment completes noting that this provision ends in January 2013 Feb 20125SHA-2, TAGPMA

Proposal (2) individual CAs MAY start issuing SHA-2 based certs on their own accord anyway (e.g. for testing, or to satisfy other needs) the date by which SHA-2 production certs may be issued will be NO LATER than January 2013 and it is likely we will RECOMMEND CAs to move then, since it will take another 395 days to get rid of SHA-1 in a reasonable way additional digest algorithms, in particular the successor to SHA-2 which is chosen this year, may ALSO be used in production certs in January 2013 but will NOT be introduced before SHA-2 is recommended for general use Feb 20126SHA-2, TAGPMA

Further notes Note that SHA-2 is a family, so all of SHA256, SHA384 or SHA512 may be encountered in production certs following this date! The NIST competition for a new hash algorithm (the successor of the SHA-2 family) is completing in half a year. The new hash family (let's call it "SHA-3") will be available in implementations by the end of this year. RPs may expect the use of SHA-3 based certs early 2013, although not before SHA-2 is released for general use We urge software developers to be flexible in the use of cryptography, rely on upgradable (dynamic) libraries and not tie to a specific hash, key algorithm or key size Feb 20127SHA-2, TAGPMA

One final note All CAs are kindly asked to stop using Address (or , or "E") attributes. Not only in subject names, but also in their issuer name. There are three CAs (IUCC, IHEP, APAC) that still have those There are no such CAs in TAGPMA(?) Feb 20128SHA-2, TAGPMA