[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?



On 10/24/07, Bernardo Innocenti <bernie codewiz org> wrote:
> On 10/24/07 13:09, Alan Cox wrote:

[snip]

> > Which presumably means they'll not be using SHA1 much longer - right ?
>
> Uh?  I wasn't aware SHA1 has been broken (at least, not in
> a practically exploitable way).

It hasn't ... yet.  But the US government is mandating that it not be
used after 2010, so anyone wanting to be able to fulfill that needs to
plan now how to make the transition:

"March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should
stop using SHA-1 for digital signatures, digital time stamping and
other applications that require collision resistance as soon as
practical, and must use the SHA-2 family of hash functions for these
applications after 2010."

http://csrc.nist.gov/groups/ST/hash/policy.html

Best wishes,

Oisin Feeley


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]