- From: Martin, Cynthia E. <cemartin@mitre.org>
- Date: Wed, 6 Jan 2010 19:14:21 -0500
- To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>, Frederick Hirsch <Frederick.Hirsch@nokia.com>
- CC: "Martin, Cynthia E." <cemartin@mitre.org>
I don't know if anything else was referenced, but I go here: http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html=20 It's the first real reference to the issue. Regards, Cynthia > > -----Original Message----- > From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org > ] On= > Behalf Of Frederick Hirsch > Sent: Friday, December 11, 2009 8:58 AM > To: XMLSec WG Public List > Cc: Frederick Hirsch > Subject: Add warnings to Signature 1.1 and 1.1 requirements on SHA-1? > > Do we need more text in XML Signature 1.1 regarding the suitability > =20 > (or lack thereof) of SHA-1, and maybe a reference to the NIST =20 > recommendation to use SHA2 going forward from 2010 as well as the =20 > crypto regarding SHA-1? > > We probably also need to add this to the 1.1 requirements as well. > > Does anyone have a good pointer to a paper outlining why SHA-1 is no > =20 > longer suitable? > > Is the suitable NIST reference the following, or is there a better > one? > > [[ March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, > SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all > applications using secure hash algorithms. Federal agencies should > stop using SHA-1 for digital signatures, digital time stamping and > other applications that require collision resistance as soon as > practical, and must use the SHA-2 family of hash functions for these > applications after 2010. After 2010, Federal agencies may use SHA-1 > only for the following applications: hash-based message authentication > codes (HMACs); key derivation functions (KDFs); and random number > generators (RNGs). Regardless of use, NIST encourages application and > protocol designers to use the SHA-2 family of hash functions for all > new applications and protocols. ]] > > http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html > > regards, Frederick > > Frederick Hirsch > Nokia > > > > > >
Received on Thursday, 7 January 2010 00:14:56 UTC