Hello:
I would like to point out that SHA-224 is not a good choice for a fixed
hash algorithm. SHA-224 is not implemented in Microsoft CryptoAPI /
Cryptography Next Generation, which means that Windows apps (clients and
servers) will have a more difficult time implementing this thing.
Reference: <http://msdn.microsoft.com/library/bb931357>. I suggest
sticking with SHA-256.
Looking back at the archives, it appears that a motivator for SHA-224 is
that it is "short" and therefore fits in a DNS label with hex encoding.
I do not buy this argument. Base32 encoding works great for SHA-256.
Since DNS labels are octets anyway, if you want "short" I do not see a
big deal with putting 32 octets in the label. Pushback on the grounds
that "it's not a hostname" and "watch out for case folding" are moot
because "_smimecert" is not a valid hostname either: that's why "_" was
chosen for SRV records and their kin. It's not a vanity contest. Maybe
there are other considerations; I am not a DNS ops expert. Suffice to
say, base32 would work just fine.
(As an implementer, I have other various opinions about this work but
don't feel like bringing them up at this time.)
Sean
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
