SHA-2 Compliance

When a certificate authority signs a certificate, it uses one of several possible hash algorithms. Historically, the most popular algorithms were MD5 (now retired due to security issues) and the SHA-1 family. SHA-1 certificates are being phased out due to theoretical weaknesses there are no known pragmatic attacks, but there is reason to believe one may be possible in the future. These days, the preferred hash algorithm family is SHA-2.

The certificate authorities (CAs), which issue host and user certificates that are used widely in the OSG, will default to SHA-2-based certificates on 1 October 2013; by that time, all sites will need to make sure that their software is ready to support certificates using the SHA-2 algorithms (as well as older ones). Some components of the OSG software stack have added SHA-2 support only recently. The table below denotes indicates the minimum releases necessary to support SHA-2 certificates.

Component Version In Release Notes
BeStMan 2 bestman2-2.3.0-9.osg 3.1.13 SHA-2 support; also see jGlobus, below
dCache SRM client dcache-srmclient- 3.1.22 Major update includes SHA-2 support
Globus GRAM globus-gram-job-manager-13.45-1.2.osg
3.1.9 Critical bug fixes (not SHA-2 specific)
GUMS gums- 3.1.13 Switched to jGlobus 2 with SHA-2 support; also see jGlobus, below
jGlobus (for BeStMan 2) jglobus-2.0.5-3.osg 3.1.18 Fixed CRL refresh bug (not SHA-2 specific)
VOMS voms-2.0.8-1.5.osg 3.1.17 SHA-2 fix for voms-proxy-init

If a component does not appear in the above table, it already has SHA-2 support. This table will be updated if testing or usage reveals further issues.

Topic revision: r5 - 20 Aug 2013 - 22:13:05 - TimTheisen
Hello, TWikiGuest!


TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..