Based on the October 21 discussion with the XML Security WG:
<http://www.w3.org/2008/10/21-wam-minutes.html#item07>
The the group decided SHA-256 is required thus this issue is closed.
-Regards, Art Barstow
On Jun 27, 2008, at 2:02 AM, ext Web Applications Working Group Issue
Tracker wrote:
ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong
enough for Widgets digital signatures?
http://www.w3.org/2008/webapps/track/issues/
Raised by: Josh Soref
On product:
The widgets 1.0: Digital Signature specification currently mandates
that the DigestValue be calculated using RSA-SHA1(and indicated as
such by the DigestMethod). However, weaknesses have been found in
SHA1 [1]. So would some other DigestMethod be more appropriate?
does it really matter that SHA1 has been "broken" for this use case?
[1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
