On 11/18/2013 07:00 AM, Gervase Markham wrote:
Hi everyone,
Following Microsoft's announcement re: SHA-1, some CAs are asking
browser and OS vendors about the ubiquity of SHA-256 support. It would
be a help to them if we could say:
- Which version of NSS first supported SHA-256
Gerv, SHA-256 isn't the only algorithm of interest here.
The latest Windows Root Certificate Program requirements [1] permit CAs
to use SHA-256, SHA-384 and SHA-512. Unsurprisingly, these 3 functions
from the SHA-2 family are what the Windows CryptoAPI actually supports
(since XP SP3).
On 19/11/13 02:20, Robert Relyea wrote:
I think it's safe to say if your NSS ap is newer than a decade old, you
have SHA-2 support. The one caveat is that SHA-224 support was added
much later, but SHA-256, SHA-384, and SHA-512 have all been supported
for a while.
SHA-224 isn't supported by CryptoAPI, and CAs aren't permitted (by [1])
to use it anyway. Ditto for the SHA-512/224, SHA-512/256 and SHA-512/t
functions that were added to the SHA-2 specification [2] last year.
[1]
http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx
[2] http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto