At 9:32 AM -0700 5/2/07, Wan-Teh Chang wrote: > > Again, while we are at it, how about mandating SHA-246? We can safely >> assume complete deployment of it within five years. > >I assume you meant SHA-256.
Give or take 10, yes. :-) >If SHA-256 won't be made available >in Windows XP, this is equivalent to assuming complete replacement >of Windows XP within five years (when Windows XP is 10-11 years >old). That's a tough question. It is indeed. Does Firefox have to rely on XP's CAPI, or could we provide our own crypto for something as important as this? Will we care about XP in five years? What if we made the date seven years in order to take care of the dwindling XP crowd? Personally, I feel that it is silly to fix one part of the signature security and ignore the other part. We don't have any valid attacks against SHA-1 in the signature algorithm in CA certs yet, and none have been even hinted at. We also know that changing CA certs is painful for the CAs, so if we think we might make this change in the future we might as well make it at the same time. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto