Re: ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong enough for Widgets digital signatures? from Arthur Barstow on 2008-11-03 (public-webapps@w3.org from October to December 2008)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Mon, 3 Nov 2008 07:56:18 -0500
To: Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <EC9F1C84-A4D4-46D5-84D2-9984B0FC41B1@nokia.com>

Based on the October 21 discussion with the XML Security WG:

  <http://www.w3.org/2008/10/21-wam-minutes.html#item07>

The the group decided SHA-256 is required thus this issue is closed.

-Regards, Art Barstow



On Jun 27, 2008, at 2:02 AM, ext Web Applications Working Group Issue  
Tracker wrote:

>
> ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong  
> enough for Widgets digital signatures?
>
> http://www.w3.org/2008/webapps/track/issues/
>
> Raised by: Josh Soref
> On product:
>
> The widgets 1.0: Digital Signature specification currently mandates  
> that the DigestValue be calculated using RSA-SHA1(and indicated as  
> such by the DigestMethod). However, weaknesses have been found in  
> SHA1 [1]. So would some other DigestMethod be more appropriate?  
> does it really matter that SHA1 has been "broken" for this use case?
>
> [1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
>
>
>

Received on Monday, 3 November 2008 12:57:36 UTC