On Jun 27, 2005, at 10:51 AM, Russ Housley wrote:
So, building on what Peter Gutmann suggested:
sha1WithRSAEncryption would be a MUST-
sha224WithRSAEncryption would be a MAY
sha256WithRSAEncryption would be a SHOULD+
sha384WithRSAEncryption would be a MAY
sha512WithRSAEncryption would be a MAY
Unfortunately, I do not have a similar recommendation for DSA. SHA-1
still seems to be the only supported one-way hash function. I expect
that to change soon, but it has not happened yet.
"As yet unwritten DSA variant, SHOULD+"
I still find myself somewhat annoyed by the MUST- SHOULD+ approach,
though I do understand that as a "clue for future revisions" it has
some value.
Personally, I would upgrade 384 and 512 to SHOULD (no "+"). The
semantic of that is "there may exist valid reasons in particular
circumstances to ignore". If you can't do 64-bit easily or the
performance makes you crabby, then you can invoke that clause. I don't
really feel strongly enough about it to fight for this though.
Are there any reasons besides implementation ease to promote or
discourage the SHA-512-derived algorithms? Is there any cryptographic
history with SHA-256 that makes us nervous (besides the obvious
'strength in length' argument)?
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com