My team just received a directive from our customer to "start using
SHA-2" immediately. Yes, in effect, the directive is that vague, and,
no, details have not been forthcoming! So, I intend to tell my
superiors that our product - which uses HTTPS provided by libCurl built
with OpenSSL to xfer files to/from clients - currently SATISFIES this
directive because it is able to authenticate server certificates which
have a digest created with SHA-2. In addition, if asked, I will tell
them that a SHA-1 hash inside each encrypted message transported by SSL
is satisfactory and should not be considered subject to the directive,
unless explicitly told otherwise. In other words, I intend to assert
that the only "place" in server-authenticated HTTPS where SHA-2 has
crypto-significance is in certificate authentication. Is my assessment
correct? Thanks.
