SHA1 -> SHA2

Dave's talk + Maarten,

David Groep on Karlsruhe's outcome: summary

Maarten: 15 months for sites to be up-to-date, by end 2013 all should be
up-to-speed and sha2 compliant

Maarten's presentation on WLCG status and plan:

dcache and bestman moving to sha2 and rfc proxies, linked together

jglobus lib 1 is stone age and slow, dcache want to get rid of it -> j2
All changes tricky, NOT trivial, very careful to get it right +
performance issues
It can still be done (dcache might take ownership of the library, ref
Paul Millar).

jglobus version 10 preferred, but no task assigned yet

Once jglobus fixed, bestman too.

Jglobus problem needs to be decided soon.

Other software besides dcache and bestman

LHC runs extended to end Feb 2013 -> Summer next year the natural break

UMD release cycle description. UMD 2 with rfc proxy support

SL6 has the new version of openssl

By Spring all with a supported version -> by 2013 all sha2 + rfc proxy
compliant

Big problem: the LHC experiments' own software suites e.g. LHCB DIrac
not ready for the transition, some dev needed. Maarten will remind the
exps in the gdb about this in 2 days.

Other VOs also affected.

See EGI and SHA2 document.

David/Dave: timeline to be agreed upon the RAT analysis

Proposal: end of sha1 March 2014. New certs to be sha2 April 2014.
Different serial numbers for sha1 and sha2. Same for CRLs

Marteen: sha1 to be also disabled from the middleware in case of a sha1
vulnerability?

OS update might not be enough

David: openssl prefers sent over chain: problem!

No attribute authorities discussion  Maarten: this is orthogonal to the
main problem

Maarten: it'd be nice to avoid sha1/sha2 mixture say in voms proxies
(for error message's sake)

Old Root CAs can remain sha1

sha2 512 for CAs, RP 512 and 256

CRL problem: sha1 vs sha2 and fetch crl script (capable of handling both)

----------------------------------------

Summary and Conclusions on SHA2

See document by David