On Mon, 12 Jan 2009 16:05:08 +1300 [email protected] (Peter Gutmann) wrote:
> "Weger, B.M.M. de" <[email protected]> writes: > > >> Bottom line, anyone fielding a SHA-2 cert today is not going=20 > >> to be happy with their costly pile of bits. > > > >Will this situation have changed by the end of 2010 (that's next > >year, by the way), when everybody who takes NIST seriously will have > >to switch to SHA-2? > > I have a general outline of a timeline for adoption of new crypto > mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically > algorithms) in my Crypto Gardening Guide and Planting Tips, > http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt, see > "Question J" about 2/3 of the way down. It's not meant to be > definitively accurate for all cases but was created as a rough > guideline for people proposing to introduce new crypto mechanisms to > give an idea of how long they should expect to wait to see them > adopted. > My analysis is similar to Peter's: 2-3 years for an RFC, 2-3 years for design/code/test, 2 years average delay for the next major release of Windows which will include it, 5 years for most of the older machines to die off. I've mentioned it before, but I'll point to the paper Eric Rescorla wrote a few years ago: http://www.cs.columbia.edu/~smb/papers/new-hash.ps or http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . The bottom line: if you're running a public-facing web server, you *can't* offer a SHA-2 certificate because you have no way of knowing if the client supports SHA-2. Fixing that requires a TLS fix; see the above timeline for that. -- --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
