- From: Bruce Rich <brich@us.ibm.com>
- Date: Thu, 16 Sep 2010 12:33:15 -0500
- To: "Scott Cantor" <cantor.2@osu.edu>
- Cc: public-xmlsec@w3.org
- Message-ID: <OF4D9F64A8.57AFF058-ON862577A0.006007FC-862577A0.00606DE5@us.ibm.com>
Well, since it's a new element I don't think it's an issue to default to a modern hash. In the fullness of time, I would expect the WSS specs to be revised to less tightly bind to a particular hash. Given NIST800-131 current guidance, CAs will be moving to SHA256 and RSA>1024. Bruce A Rich brich at-sign us dot ibm dot com From: "Scott Cantor" <cantor.2@osu.edu> To: <public-xmlsec@w3.org> Date: 09/16/2010 12:16 PM Subject: RE: ACTION-665: Devise proposal for X509SerialNumber Sent by: public-xmlsec-request@w3.org Resending to list... > > I was OK with everything but the SHA-1 default. I think a better default > > would be SHA-256. > > I won't fight it, I just think in practice it will create headaches. I was > also staying with the default thumbprint that is found in WSS and in most > certificate tools (and there's also the fact that the TLS channel bindings > RFC defines the hash algorithm to use for endpoint CB based on the hash used > in the cert. That's normally SHA-1.) > > Is there reason to think most CAs are going to be switching to SHA-2 soon? > > None of this is to say we can't choose whatever we want, just explaining my > reasoning. > > -- Scott
Received on Thursday, 16 September 2010 17:33:49 UTC