On 1/8/2014 8:12 PM, Rob Stradling wrote: > On 08/01/14 11:58, Peter Gutmann wrote: >> Rob Stradling <[email protected]> writes: >> >>> SHA-256, SHA-384 and SHA-512 are the algorithms that CAs should use. >> >> In my playing around with all the TLS and SSH implementations I could >> find >> that talk SHA-2, I've found that SHA-256 is the new SHA-1. In other >> words if >> you want interoprability with anything that does SHA-2, go with SHA-256. > > Peter, do you have a list of software/versions that have TLS > implementations that work fine with SHA-256 in certificate signatures > but fail to work with SHA-384 and/or SHA-512 in certificate signatures? > > Based on the NIST guidance, we've been using SHA-384 when using > RSA-4096 and secp384r1 CA private keys to sign certificates. I've not > yet become aware of any interop issues with stuff that claims to talk > SHA-2. > > Thanks. > If there is no constraints on choosing SHA-256, SHA-384 or SHA-512, why CAs are so conservative and prefer SHA-256 rather than SHA-512? I think going directly to a higher security strength should be preferable.
Peter mentioned about interop issues. Does anyone encounter interop issues with SHA-512? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
