W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong enough for Widgets digital signatures?

From: Arthur Barstow <art.barstow@nokia.com>
Date: Mon, 3 Nov 2008 07:56:18 -0500
Message-Id: <EC9F1C84-A4D4-46D5-84D2-9984B0FC41B1@nokia.com>
To: Web Applications Working Group WG <public-webapps@w3.org> 

Based on the October 21 discussion with the XML Security WG:

  <http://www.w3.org/2008/10/21-wam-minutes.html#item07>

The the group decided SHA-256 is required thus this issue is closed.

-Regards, Art Barstow



On Jun 27, 2008, at 2:02 AM, ext Web Applications Working Group Issue  
Tracker wrote:

>
> ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong  
> enough for Widgets digital signatures?
>
> http://www.w3.org/2008/webapps/track/issues/
>
> Raised by: Josh Soref
> On product:
>
> The widgets 1.0: Digital Signature specification currently mandates  
> that the DigestValue be calculated using RSA-SHA1(and indicated as  
> such by the DigestMethod). However, weaknesses have been found in  
> SHA1 [1]. So would some other DigestMethod be more appropriate?  
> does it really matter that SHA1 has been "broken" for this use case?
>
> [1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
>
>
>
Received on Monday, 3 November 2008 12:57:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:01 GMT