MD5 considered harmful today, SHA-1 considered harmful tomorrow
Nicolas Williams
Nicolas.Williams at sun.com
Tue Jan 20 16:58:42 EST 2009
On Mon, Jan 19, 2009 at 01:38:02PM +0000, Darren J Moffat wrote:
> I don't think it depends at all on who you trust but on what algorithms
> are available in the protocols you need to use to run your business or
> use the apps important to you for some other reason. It also very much
> depends on why the app uses the crypto algorithm in question, and in the
> case of digest/hash algorithms wither they are key'd (HMAC) or not.
As Jeff Hutzelman suggested recently, inspired by the SSHv2 CBC mode
vulnerability, hash algorithm agility for PKI really means having more
than one signature, each using a different hash, in each certificate;
this enlarges certificates. Alternatively, it needs to be possible to
select what certificate to present to a peer based on an algorithm
negotiation; this tends to mean adding round-trips to our protocols.
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list