RE: ACTION-665: Devise proposal for X509SerialNumber from Bruce Rich on 2010-09-16 (public-xmlsec@w3.org from September 2010)

From: Bruce Rich <brich@us.ibm.com>
Date: Thu, 16 Sep 2010 12:33:15 -0500
To: "Scott Cantor" <cantor.2@osu.edu>
Cc: public-xmlsec@w3.org
Message-ID: <OF4D9F64A8.57AFF058-ON862577A0.006007FC-862577A0.00606DE5@us.ibm.com>

Well, since it's a new element I don't think it's an issue to default to a 
modern hash.

In the fullness of time, I would expect the WSS specs to be revised to 
less tightly bind to a particular hash.

Given NIST800-131 current guidance, CAs will be moving to SHA256 and 
RSA>1024.

Bruce A Rich
brich at-sign us dot ibm dot com




From:   "Scott Cantor" <cantor.2@osu.edu>
To:     <public-xmlsec@w3.org>
Date:   09/16/2010 12:16 PM
Subject:        RE: ACTION-665: Devise proposal for X509SerialNumber
Sent by:        public-xmlsec-request@w3.org



Resending to list...

> > I was OK with everything but the SHA-1 default.  I think a better
default
> > would be SHA-256.
> 
> I won't fight it, I just think in practice it will create headaches. I 
was
> also staying with the default thumbprint that is found in WSS and in 
most
> certificate tools (and there's also the fact that the TLS channel 
bindings
> RFC defines the hash algorithm to use for endpoint CB based on the hash
used
> in the cert. That's normally SHA-1.)
> 
> Is there reason to think most CAs are going to be switching to SHA-2 
soon?
> 
> None of this is to say we can't choose whatever we want, just explaining
my
> reasoning.
> 
> -- Scott

Received on Thursday, 16 September 2010 17:33:49 UTC