...

Type of meeting: Gotomeeting (https://www.gotomeet.me/peppoledelivery)

Participants and absents

Chair

Berg, Hans <hans.berg@tickstar.com> as eDelivery Community Leader

...

Langøy, Bård <bard.langoy@pagero.com>

Agenda

1. Define a way how to support SHA2 algorithms in PEPPOL AS2 profile
   1. Based on "eDelivery Capability extension work group" result document, chapter 3.2 (see file at the bottom of this page).
   2. Migration plan is needed

Background

PEPPOL AS2 profile mandates the use of "SHA 1" as the message digest algorithm for the non-repudiation of receipt.

...

The original documents created by the eDelivery Capability Extension work group are attached at the bottom of this page for reference.

Discussion

• Current PEPPOL AS2 specification 1.01 references RFC 3851 - S/MIME 3.1 Message Specification
  • RFC 3851 (dated July 2004) allows for SHA2 algorithms, but only on a voluntary basis
  • https://www.ietf.org/rfc/rfc3851.txt
• RFC 5751 (dated Jan 2010) obsoletes RFC 3851 - S/MIME 3.2 Message Specification:
  • https://tools.ietf.org/html/rfc5751
  • It mandates the use of SHA 256 and makes the support for SHA1 and MD5 optional
  • The names of the MIC algorithms changes (RFC 3851: "sha256"; RFC 5751: "sha-256"), so it's easy to identify what version is used
  • All changes from RFC 3851 are documented in chapter 1.6 - https://tools.ietf.org/html/rfc5751#section-1.6

Proposal

To change the usage of SHA1 to SHA 256 in the PEPPOL AS2 profile the following steps are suggested:

...

1. The usage of a separate transport profile (like "busdox-tansport-as2-ver1p0r1") is not favoured, because it would have implications not only on all APs but also on all SMPs.

-- EoD

Attachments