Subject: Meeting the InCommon Assurance profile criteria using Active Directory
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] RE: Updates to AD Cookbook 2013
- Date: Fri, 6 Sep 2013 17:33:24 +0000
- Accept-language: en-US
>>> This was a reference to SHA-1 approval being discontinued as of January (as is currently being discussed on the parent Assurance list). I don’t know/remember if RC4 protocol usage is actually a concern in the context of SSL.
If your web server supported cipher suites include ssl_rsa_with_rc4_128_sha or ssl_rsa_with_rc4_128_MD5 then RC4 is being used.
SHA-1 may also be in use for digital signature verification (_SHA) and potentially could be OK for legacy use. There has been discussion that SSLv3 internally uses MD5 as part of HMAC which would not meet Protected Channel, but I thought that was only for the (_MD5) cipher suite.
Neither RC4 nor MD5 were ever approved algorithms, but at least SHA-1 has legacy approval after 2013 for digital signature verification (not generating the digital signature like for an SSL certificate, but validating it). So if SSL were to be granted an exception or alternative means to a Protected Channel, it might need to address more than just allowing RC4.
There may be some SSL certificates out there that have expiration dates far into the future that still need to be validated each time they are used to create the SSL connection.
One correction (problem with late night editing):
We may need an alternate means statement here to allow SSL/TLS using RC4.
This should reference SHA-1. This was a reference to SHA-1 approval being discontinued as of January (as is currently being discussed on the parent Assurance list). I don’t know/remember if RC4 protocol usage is actually a concern in the context of SSL.
- [AD-Assurance] Updates to AD Cookbook 2013, Capehart,Jeffrey D, 09/05/2013
Archive powered by MHonArc 2.6.16.