When a certificate authority signs a certificate, it uses one of several possible hash algorithms. Historically, the most popular algorithms were MD5 (now retired due to security issues) and the SHA-1 family. SHA-1 certificates are being phased out due to theoretical weaknesses — there are no known pragmatic attacks, but there is reason to believe one may be possible in the future. These days, the preferred hash algorithm family is SHA-2.
The certificate authorities (CAs), which issue host and user certificates that are used widely in the OSG, will default to SHA-2-based certificates on 1 October 2013; by that time, all sites will need to make sure that their software is ready to support certificates using the SHA-2 algorithms (as well as older ones). Some components of the OSG software stack have added SHA-2 support only recently. The table below denotes indicates the minimum releases necessary to support SHA-2 certificates.
|| In Release
| BeStMan 2
|| SHA-2 support; also see jGlobus, below
| dCache SRM client
|| Major update includes SHA-2 support
| Globus GRAM
|| Critical bug fixes (not SHA-2 specific)
|| Switched to jGlobus 2 with SHA-2 support; also see jGlobus, below
| jGlobus (for BeStMan 2)
|| Fixed CRL refresh bug (not SHA-2 specific)
|| SHA-2 fix for voms-proxy-init
If a component does not appear in the above table, it already has SHA-2 support. This table will be updated if testing or usage reveals further issues.
Topic revision: r5 - 20 Aug 2013 - 22:13:05 - TimTheisen