> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Crocker
> 1. I can't guess what you interpreted as "frightening" in my > characterization. > All I did was note your own reference to a 5-year timeframe > and the lack of our having any details about what would be > chosen by then. As for vagueness, the lack of detail could > hardly be characterized otherwise. Actually I think it is very clear what we will be using in 5 years time, either what we are using today or the NSA suite B with the possible replacement of the hash algorithm. A better question would be 'do we know how to manage the trasition from one algortihm to another'. That is what has never been effectively acomplished in the field to date. > In other words, you think it appropriate to *require* that > all signers *always* > use SHA-256? > > This would mean, for example, that support for the next, > preferred algorithm, > would require revising and re-issuing the specification. This is actually a problem across all the IETF security specs and across all the standards organizations. What we really need is a WG that describes how to deploy a replacement crypto set across the board. Having discussed this issue with the cryptographers the clear consensus there is that the announced weaknesses in SHA-1 almost certainly affect SHA-256 and that we should be looking for hash functions designed on different principles rather than promoting SHA-256 as a cure. Even with the known compromise SHA-1 is considerably stronger than the RSA keys we are expecting to use. Break the hash and you may be able to fake one bit in one document. Factoring the RSA key is less work and allows you to sign any document you like. It is not rational to be obsessing about SHA256 when we have bigger problems with RSA. If it was not for the patent issues I would push for ECC as per suite B. _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
