On Thu, 2024-03-14 at 04:52 -0700, James Prestwood wrote: > I'm also not entirely sure why this stuff continues to be removed > from the kernel. First MD4, then it got reverted, then this (now > reverted, thanks). Both cases there was not clear justification of > why it was being removed. I think this is some misunderstanding of the NIST and FIPS requirements with regards to hashes, ciphers and bits of security. The bottom line is that neither NIST nor FIPS requires the removal of the sha1 algorithm at all. Both of them still support it for HMAC (for now). In addition, the FIPS requirement is only that you not *issue* sha1 hashed signatures. FIPS still allows you to verify legacy signatures with sha1 as the signing hash (for backwards compatibility reasons). Enterprises with no legacy and no HMAC requirements *may* remove the hash, but it's not mandated. So *removing* sha1 from the certificate code was the wrong thing to do. We should have configurably prevented using sha1 as the algorithm for new signatures but kept it for signature verification. Can we please get this sorted out before 2025, because next up is the FIPS requirement to move to at least 128 bits of security which will see RSA2048 deprecated in a similar way: We should refuse to issue RSA2048 signatures, but will still be allowed to verify them for legacy reasons. James
