David Shaw wrote:
We might want to think about making SHA-256 be another MUST algorithm.
The only MUST hash now is SHA-1. Making SHA-256 be a MUST would make
these new key sizes be more useful, and also give us an easier fallback
if SHA-1 should be broken.
Unless DSA2 is also a MUST, I wonder what the practical advantage to
that would be (beyond making the social point that we really, really
want people to move away from SHA-1).
I think this is pretty much all of the point. Any
new DSA signing method or other usage will likely
be non-obligatory, but pushing the implementations
into that direction seems useful.
right answer. Now that we have actual information about DSA2, perhaps
it would be worth revisiting that question. A new algorithm ID for
DSA2 resolves a number of problems in one fell swoop as there is no
expectation of interoperability. SHA-256 is always usable
(effectively the default) for DSA2, and there is no problem with
knowing when it is possible to use truncation (always).
Sounds good to me.
iang