[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: FW: found a way to mimic the digital identity
Not to those who knew about the weakness back in 2004 when the flaw in MD5 was first publicized, Marc. Everyone knew it was only a matter of time when this attack would show up - it happened yesterday. Every PKI I have built since 2004 has used SHA-1 for the signing-digest. Every PKI I have built since January 2008 uses SHA-256 (SHA-1 is deemed OK only until the end of 2010 and NIST has already started the process for moving past SHA-256). All the ENML examples I've used for the Symmetric-Key and X509 Digital Signature profiles use SHA-1 for the digest, so ENML is safe (for now). As soon as the World Wide Web Consortium updates the XMLSignature standard - which I expect them to do so in 2009 - we can incorporate them into ENML by reference and issue an update to the standard. It is possible that by the time we vote on the standard, W3C may have updated XMLSignature and ENML 1.0 could very well include support for SHA-256, SHA-384 and SHA-512 hashes. I anticipate that anyone building software using ENML in 2009 will be smart enough to include SHA-256 support in it even if ENML doesn't specify it - and as soon as ENML specifies it, it can be flipped-on in the field by changing one option and restarting the software. That's how we built CSRTool back in 2007: http://www.strongauth.com/index.php?option=com_content&task=view&id=32&Itemid=32 Happy new year, everyone. Arshad Marc L. Aronson wrote: > Interesting. (Or not?) > > > > http://www.washingtonpost.com/wp-dyn/content/article/2008/12/30/AR2008123001056.html?nav=printbox&sid=ST2008123001136&s_pos > <http://www.washingtonpost.com/wp-dyn/content/article/2008/12/30/AR2008123001056.html?nav=printbox&sid=ST2008123001136&s_pos>= > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]