[ECA-6369] Change default OCSP signature algorithm to use SHA-256 - PrimeKey Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EJBCA 6.10.0.2
Fix Version/s: EJBCA 6.11.0
Component/s: PKI core
Labels:
None

Issue discovered during:
Community
Sprint:
EJBCA Sprint 4

Description

Currently, the default signature algorithm when creating a new OCSP key binding is SHA1WithRSA or SHA1withECDSA.

According to recommendations (European eIDAS, French RGS, USA NIST), the hash function must have a fingerprint length of 256 bits or more.

Actions:

Change default OCSP signature algorithms to SHA256WithRSA and SHA256withECDSA

Note:

Keep SHA1WithDSA for DSA algorithm

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

eca-6369_change-default-ocsp-signature-algorithm-to-use-sha-256_2-junit.patch
1 kB
2017-11-30 09:41
eca-6369_change-default-ocsp-signature-algorithm-to-use-sha-256.patch
1 kB
2017-11-24 17:44

Activity

People

Assignee:: David Carella

Reporter:: David Carella

Verified by:: Mike Agrenius Kushner

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2017-11-24 11:53

Updated:: 2019-05-13 13:11

Resolved:: 2017-12-07 14:12

Time Tracking

Estimated:

Not Specified

Remaining:

Not Specified

Logged:

4m