- From: Sandro Hawke <sandro@w3.org>
- Date: Thu, 29 Sep 2011 12:08:10 -0400
- To: Andy Seaborne <andy.seaborne@epimorphics.com>
- Cc: public-rdf-dawg@w3.org
On Thu, 2011-09-29 at 15:59 +0100, Andy Seaborne wrote: > > On 29/09/11 14:06, Andy Seaborne wrote: > > Reduce the number of library (required) functions to > > > > Please put your (+1 | 0 | -1) on each of: > > > > Proposal 1: > > SHA1 > > MD5 > > > > Proposal 2: > > SHA1 > > MD5 > > SHA256 > > > > Proposal 3: > > SHA1 > > MD5 > > SHA256 > > SHA512 > > > > Proposal 4: > > Other (with details) > > > > > > Variations: leave the other functions in as "informative, not required" > > and leave the keywords in the grammar. > > > > Andy > > > > Sandro came up with: > > http://www.w3.org/TR/xmldsig-core2/#sec-MessageDigests > > which mentions certain SHAx algorithms so it gives us an external > reason for choosing a certain set: > > Proposal 5: > MD5 > SHA1 > SHA256 > SHA512 > SHA384 > SHA512 > > (i.e. remove SHA224, but that's the problmeatic one for the commenter > (Jeen) because it's not in the core Java runtime). You also include SHA512 twice, making the list look longer! :-) Also, I was advised against including MD5 -- as the earlier xmldsig advises -- because of known security problems with it. I guess the theory is that it's important to steer people away from technology that looks secure but isn't. (The counter-argument is that some people still use it. But maybe should let that be entirely on them.) -- Sandro > http://download.oracle.com/javase/7/docs/api/ > http://download.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest > > Do any programming languages have problems with this set? > > Andy > >
Received on Thursday, 29 September 2011 16:08:18 UTC