[142748] in cryptography@c2.net mail archive
Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Jan 20 17:59:28 2009
Date: Tue, 20 Jan 2009 15:58:42 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Darren J Moffat <Darren.Moffat@sun.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, cryptography@metzdowd.com
In-Reply-To: <4974823A.8040409@Sun.COM>
On Mon, Jan 19, 2009 at 01:38:02PM +0000, Darren J Moffat wrote:
> I don't think it depends at all on who you trust but on what algorithms
> are available in the protocols you need to use to run your business or
> use the apps important to you for some other reason. It also very much
> depends on why the app uses the crypto algorithm in question, and in the
> case of digest/hash algorithms wither they are key'd (HMAC) or not.
As Jeff Hutzelman suggested recently, inspired by the SSHv2 CBC mode
vulnerability, hash algorithm agility for PKI really means having more
than one signature, each using a different hash, in each certificate;
this enlarges certificates. Alternatively, it needs to be possible to
select what certificate to present to a peer based on an algorithm
negotiation; this tends to mean adding round-trips to our protocols.
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
