On 29/09/11 17:55, Paul Hoffman wrote:
On Sep 29, 2011, at 9:44 AM, Phillip Hallam-Baker wrote:
If we go for text, we should use:
http://www.iana.org/assignments/dssc/dssc.xml
+1
+1. Makes sense.
So there would have to be text to strongly discourage use of sha-1 and
very strongly discourage md2 and md5.
+1. Even just "very strongly discourage" all three.
+1 on very strongly discourage md2, md5.
Not sure whether we need to explicitely also "very strongly discourage"
sha-1.
Btw. on a personal note: understanding why we need to discourage those.
Do we need to judge the security of hash algorithms in every standards
documents using them individually? After all, after a couple of years
even SHA-3 may become weak/broken while the RFC would still encourage
one alg and discourage the others. Don't we have a central place to
state quality/recommendation of used algorithms, that could just be
referenced to enhance alg agility.
--Paul Hoffman
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec