W3C home > Mailing lists > Public > xml-encryption@w3.org > April 2002

Re: What do we do with our SHA References? (Was: What do we do with our CMS References?)

From: Donald Eastlake 3rd <dee3@torque.pothole.com>
Date: Tue, 30 Apr 2002 09:42:23 -0400 (EDT)
To: reagle@w3.org
Cc: xml-encryption@w3.org
Message-ID: <Pine.LNX.4.44.0204300930250.9423-100000@netbusters.com>
Tom is correct. As a FIPS is updated, the suffix version number counts
up and each one is considered to completely supercede all previous
version which usually become unavailable fairly quickly. It is common
for later FIPS to include additional algoriths. Thus the DSA FIPS is
still frequently referred to as that although the latest versions have a
number of additional signature algorithms in them.

There is nothing wrong with indicating that FIPS 180-2 is currently a
draft but no changes are expected. (Of course, I suppose that was what
they said about the original SHA before it was incompatibly changed to
become SHA-1...) Eventually a FIPS is withdrawn, which really just means
it is no longer an official FIPS for the purposes of US Government
entities, and sometimes also means it becomes unavailable from NIST but
some withdrawn FIPS continue to be used as industry references and are
still available. For SHA-1 we can also reference RFC 3174. Although I'm
working on one in the background, there is no RFC for the stronger SHAs
yet. RFCs, like W3C documents, have the advantage of being stable, as
compared with FIPS and ISO standards which are inherently unstable.

 Donald E. Eastlake 3rd                       dee3@torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake@motorola.com

On Tue, 30 Apr 2002, Tom Gindin wrote:

> Date: Tue, 30 Apr 2002 08:14:16 -0400
> From: Tom Gindin <tgindin@us.ibm.com>
> To: reagle@w3.org
> Cc: aleksey@aleksey.com, Donald Eastlake 3rd <dee3@torque.pothole.com>,
>      xml-encryption@w3.org
> Subject: Re: What do we do with our SHA References? (Was: What do we do
>     with our CMS References?)
>       FIPS 180-2 is expected to supersede FIPS 180-1, which is why it
> contains SHA-1 as well as the three new ones.  While they keep FIPS
> standards which have been superseded around for a while, you can no longer
> get FIPS 46-2 (lifetime 1993-99) from the FIPS index under CSRC, nor from
> the main FIPS page.  We might as well leave in both references, and note
> that when FIPS 180-2 is finalized it will supersede FIPS 180-1 and replace
> it as the normative reference for SHA-1, as well as providing one for the
> other SHA's.
>             Tom Gindin
> Joseph Reagle <reagle@w3.org>@w3.org on 04/29/2002 04:21:48 PM
> Please respond to reagle@w3.org
> Sent by:    xml-encryption-request@w3.org
> To:    aleksey@aleksey.com
> cc:    Donald Eastlake 3rd <dee3@torque.pothole.com>, xml-encryption@w3.org
> Subject:    What do we do with our SHA References? (Was: What do we do with
>        our CMS References?)
> On Monday 29 April 2002 12:46, Aleksey Sanin wrote:
> > Yes, it is correct now. Probably the wrong version was cached by my
> > browser. I also think that it's a good idea to note that SHA2 algorithms
> > (SHA256/SHA512)
> > are also in the "draft" stage.
> Presently the reference says:
> Secure Hash Standard. NIST FIPS 180-1. April 1995.
> http://www.itl.nist.gov/fipspubs/fip180-1.htm
>  (Being extended to cover SHA-256 and SHA-512. See Draft FIPS 180-2.)
>  (http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf
> Should we break this apart in to a SHA1 and SHA2 reference? Don, I think
> the "being extended" is your text, though I'm not sure what it means and
> I'm not that familiar with FIPSs. Will they still consider it the same
> standard, or FIPS 180-2 is a distinct specification (that supercede 180-1,
> but 180-1 can still be referenced)?
> Also, in the CMS references, for the text we rely upon we include in-line
> in our spec, so we are protected from changes to those specifications.
> However, we don't do that for SHA2 -- and I wouldn't want to. Do folks know
> what the plans are for that spec? Is it likely to change at all?
Received on Tuesday, 30 April 2002 09:42:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:03 UTC