On Jul 17, 2010, at 3:30 05PM, Taral wrote:
> On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters <[email protected]> wrote:
>>> Several are using old SHA-1 hashes...
>>
>> "old" ?
>
> "old" in that they are explicitly not recommended by the latest specs
> I was looking at.
DNSSEC signatures do not need to have a long lifetime; no one cares if, in 10
years, someone can find a preimage attack against today's signed zones. This
is unlike many other uses of digital signatures, where you may have to present
evidence in court about what some did or did not sign.
It's also unclear to me what the actual deployment is of stronger algorithms,
or of code that will do the right thing if multiple signatures are present.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
