In /etc/pki/default.cfg, we currently have the following:
# grep -e "=SHA" -e ^"\[" /etc/pki/default.cfg [DEFAULT] pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_signing_algorithm=SHA256withRSA pki_ssl_server_key_algorithm=SHA256withRSA pki_subsystem_key_algorithm=SHA256withRSA [Tomcat] [CA] pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_signing_algorithm=SHA256withRSA [KRA] pki_storage_key_algorithm=SHA256withRSA pki_storage_signing_algorithm=SHA256withRSA pki_transport_key_algorithm=SHA256withRSA pki_transport_signing_algorithm=SHA256withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_signing_algorithm=SHA256withRSA [RA] [TKS] [TPS]
Several end-users have often been overriding most if not all of these values with SHA512withRSA.
There are some sources (see http://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha256) which report that SHA512 may actually be faster to compute than SHA256 when using 64-bit machines (the primary platform for CS).
Alternatively, there are some notable people who appear to refute the use of SHA512 vs. SHA256 (albeit based upon the argument for the purposes of "extra security") - (see https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/26LIJ9j4mZw/LyXYG0d8m5wJ).
Should we consider changing the current default values of SHA256withRSA to SHA512withRSA in /etc/pki/default.cfg?
rrelyea,
Please provide any merits/pitfalls to any decision on whether or not to implement this by default.
Thanks, -- Matt
Replying to [comment:4 mharmsen]:
rrelyea, Please provide any merits/pitfalls to any decision on whether or not to implement this by default. Thanks, -- Matt
rrelyea replied:
The big risk is if there are clients that use SHA-256 and not SHA-512. I don't know if any exists. Most toolkits, libraries, etc. implemented all the SHA-2 hashes at once, so it's probably pretty minor, buth SHA-256 has gotten the most attention of the SHA-2 hashes, so it's possible there may be some out there. SHA-512 is more secure than SHA-256, but I'm not sure the bar is truly meaningful (I'm not sure that there is a real risk with SHA-256), but it does provide some psychological advantage. SHA-512 has a bigger block size and is slower, though the block size turns out is limited by the signature algorithms algorithms anyway, so it shouldnt' affect the size of the certificate. SHA-384 and SHA-512 are about the same speed. In general the government used SHA-384 because it fits their security requirements more closely and has a shorter bit length.
Per CS/DS Meeting of 10/19/2015: 10.4
Future consideration should be given to this to either: (a) potentially change defaults from 256 -> 384, and/or (b) potentially revisit this once SHA-3 becomes available
Metadata Update from @mharmsen: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2212
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.