> No, C++ lib doesn't support SHA-256 or stronger. It supports only MD5
> and SHA1 due to Windows CryptoAPI and OpenSSL limitations.

Thanks, didn't realize that.

> However, if you don't trust SHA1 anymore, you should consider that many
> digital certificates used for signing are signed using SHA1 (or even
> MD5) digest algs. :(

The recent attack is not my concern so much as the reliance on a single hash
supported by the library instead of at least a few different options. My
point being that if we don't have more algorithms in common between
different libraries, when and if SHA-1 gets totally broken, everyone is
screwed.

I also think it's a mistake for XMLSig and similar specs to require only one
or two algorithms be supported. It's a recipe for a big mess later, seems to
me.

-- Scott

Reply via email to