[ACTION-120] Review SP 800-57 for HMAC-SHA256 (Issue 74) from Kelvin Yiu on 2008-12-02 (public-xmlsec@w3.org from December 2008)

From: Kelvin Yiu <kelviny@exchange.microsoft.com>
Date: Tue, 2 Dec 2008 08:44:59 -0800
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <B50E442C206C3045BD85290E7AA3FD498BC94C0411@df-whippet-msg.exchange.corp.microso>

I think issue 74 refers to a question about whether it is necessary to require HMAC-SHA256 in 1.1.

According to NIST Special Publication 57 Part 1 (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf), HMAC-SHA1 is acceptable at the equivalent of 128 bits of security even though SHA256 is required for signature applications (see table 3 on page 64). Hence, I don't believe it is necessary to require HMAC-SHA256 in 1.1.

Kelvin

Received on Tuesday, 2 December 2008 16:46:03 UTC