MD5 considered harmful today, SHA-1 considered harmful tomorrow
Ben Laurie
benl at google.com
Fri Jan 23 00:01:50 EST 2009
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni
<Victor.Duchovni at morganstanley.com> wrote:
> On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote:
>
>> The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256
>> mandatory), so you can send a SHA-256 certificate to clients that
>> indicate they support TLS 1.2 or later. You'd still need some other
>> certificate for interoperability with clients that don't support
>> SHA-256, of course, and you'd be sending that one to clients that do
>> support SHA-256 but not TLS 1.2. (So you'd fall back to SHA-1, which
>> is not really a problem when CAs make sure to use the hash algorithm
>> in a way that doesn't rely on hash collisions being hard to find,
>> which probably is a good idea for *any* hash algorithm.)
>
> It would be helpful if as a first step, SSL_library_init() (a.k.a.
> OpenSSL_add_ssl_algorithms()) enabled the SHA-2 family of digests,
> I would make this change in the 0.9.9 development snapshots.
>
> [ Off topic: I find OpenSSL release-engineering a rather puzzling
> process. The "patch" releases are in fact feature releases,
Who said they were "patch" releases?
> and there
> are no real patch releases even for critical security issues. I chose
> to backport the 0.9.8j security fixes to 0.9.8i and sit out all the
> new FIPS code, ... This should not be necessary. I really hope to see
> real OpenSSL patch releases some day with development of new features
> *strictly* in the development snapshots. Ideally this will start with
> 0.9.9a, with no new features, just bugfixes, in [b-z]. ]
I think that is not likely to happen, because that's not the way it
works. The promise we try to keep is ABI compatibility between
releases that have the same numbers. Letters signify new versions
within that series. We do not have a bugfix-only branch. There doesn't
seem to be much demand for one.
>
> --
> Viktor.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list