I agree with Mike, many key stores use SHA1 thumbprints. I don't know of any security consideration that makes SHA2 thumbprints better in any practical way.
I don't think that adding SHA 2 thumbprints is something that we need to do now. John B. On May 1, 2014, at 1:46 PM, Kathleen Moriarty <[email protected]> wrote: >> >> Mike> Per your JWS comment, SHA-1 thumbprints are widely deployed. I’m >> aware of no SHA-256 certificate thumbprint deployments. I’ll note that even >> if SHA-1 were completely broken, that wouldn’t be a security issue because >> it’s just being used to generate a digest of publicly available certificate >> information. It’s not being used to cryptographically obscure anything. >> (But that’s actually a discussion for another draft. J) >> > > This is in place for the XML equivalents and should be possible for > JSON. I used this at least 2 years ago in the XML Oxygen editor. I > believe this has been brought up before in terms of JSON, so I am not > the first. But it is another draft... I'd like to get through these > all soon :-)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
