W3C home > Mailing lists > Public > public-xmlsec@w3.org > December 2008

[ACTION-120] Review SP 800-57 for HMAC-SHA256 (Issue 74)

From: Kelvin Yiu <kelviny@exchange.microsoft.com>
Date: Tue, 2 Dec 2008 08:44:59 -0800
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <B50E442C206C3045BD85290E7AA3FD498BC94C0411@df-whippet-msg.exchange.corp.microsoft.com>
I think issue 74 refers to a question about whether it is necessary to require HMAC-SHA256 in 1.1.

According to NIST Special Publication 57 Part 1 (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf), HMAC-SHA1 is acceptable at the equivalent of 128 bits of security even though SHA256 is required for signature applications (see table 3 on page 64). Hence, I don't believe it is necessary to require HMAC-SHA256 in 1.1.

Kelvin
Received on Tuesday, 2 December 2008 16:46:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT