Re: What do we do with our SHA References? (Was: What do we do with our CMS References?) from Tom Gindin on 2002-04-30 (xml-encryption@w3.org from April 2002)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Tue, 30 Apr 2002 08:14:16 -0400
To: reagle@w3.org
Cc: aleksey@aleksey.com, Donald Eastlake 3rd <dee3@torque.pothole.com>, xml-encryption@w3.org
Message-ID: <OF32994038.8BC19A32-ON85256BAB.00425D04@pok.ibm.com>

      FIPS 180-2 is expected to supersede FIPS 180-1, which is why it
contains SHA-1 as well as the three new ones.  While they keep FIPS
standards which have been superseded around for a while, you can no longer
get FIPS 46-2 (lifetime 1993-99) from the FIPS index under CSRC, nor from
the main FIPS page.  We might as well leave in both references, and note
that when FIPS 180-2 is finalized it will supersede FIPS 180-1 and replace
it as the normative reference for SHA-1, as well as providing one for the
other SHA's.

            Tom Gindin

Joseph Reagle <reagle@w3.org>@w3.org on 04/29/2002 04:21:48 PM

Please respond to reagle@w3.org

Sent by:    xml-encryption-request@w3.org

To:    aleksey@aleksey.com
cc:    Donald Eastlake 3rd <dee3@torque.pothole.com>, xml-encryption@w3.org
Subject:    What do we do with our SHA References? (Was: What do we do with
       our CMS References?)

On Monday 29 April 2002 12:46, Aleksey Sanin wrote:
> Yes, it is correct now. Probably the wrong version was cached by my
> browser. I also think that it's a good idea to note that SHA2 algorithms
> (SHA256/SHA512)
> are also in the "draft" stage.

Presently the reference says:

SHA
Secure Hash Standard. NIST FIPS 180-1. April 1995.
http://www.itl.nist.gov/fipspubs/fip180-1.htm
 (Being extended to cover SHA-256 and SHA-512. See Draft FIPS 180-2.)
 (http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf

Should we break this apart in to a SHA1 and SHA2 reference? Don, I think
the "being extended" is your text, though I'm not sure what it means and
I'm not that familiar with FIPSs. Will they still consider it the same
standard, or FIPS 180-2 is a distinct specification (that supercede 180-1,
but 180-1 can still be referenced)?

Also, in the CMS references, for the text we rely upon we include in-line
in our spec, so we are protected from changes to those specifications.
However, we don't do that for SHA2 -- and I wouldn't want to. Do folks know

what the plans are for that spec? Is it likely to change at all?

Received on Tuesday, 30 April 2002 08:15:08 UTC