At 9:45 AM -0400 6/22/05, Russ Housley wrote:
Section 3.4.3.2 of RFC 3851 says:
The SHA-256, SHA-384, and SHA-512 algorithms [FIPS180-2] are not
currently recommended in S/MIME, and are included here for
completeness.
I think it is time to revisit this decision. I think the standard
needs to accept longer hash functions, at least with the RSA
signature algorithm.
3.4.3.2 of 3851 is discussing the micalg parameter. Maybe we should
instead be discussing RFC 3370, which doesn't mention SHA-224, -256,
-384, or -512 at all. That is, 3851 is fine as far as it goes.
At 1:51 PM -0400 6/27/05, Russ Housley wrote:
So, building on what Peter Gutmann suggested:
sha1WithRSAEncryption would be a MUST-
sha224WithRSAEncryption would be a MAY
sha256WithRSAEncryption would be a SHOULD+
sha384WithRSAEncryption would be a MAY
sha512WithRSAEncryption would be a MAY
RFC 3370 needs to be expanded to say how all those work. (If we let
Peter do it, you can imagine what he'll say about the utility or even
the existence sha224WithRSAEncryption...) I'm OK with those settings
if you use the words from the IPsec work.
Unfortunately, I do not have a similar recommendation for DSA.
SHA-1 still seems to be the only supported one-way hash function. I
expect that to change soon, but it has not happened yet.
So....., what do we do? Update 3370 without changing DSA, then
upgrade it again when the DSA change comes down? Wait for the DSA
change?
--Paul Hoffman, Director
--Internet Mail Consortium