OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [office] Passwords

On Tue, 2006-28-11 at 10:59 +0000, Dave Pawson wrote:
> > That's a good idea, though I note that since this spec was written some
> > new attacks on SHA1 have appeared. Is it possible to say "use xmlenc
> > _except_ we change SHA256 from RECOMMENDED to REQUIRED"?
> How about adding some flexibility for implementors.
> I.e. list  a few acceptable encryption algorithms, then require
> that an implementation record the one used, which then
> means that other implementations can use a number of algorithms
> and we can have interop?

Yes, that would be good. We can say that SHA1, SHA256, SHA512 and
RIPMEND-160 are all ok (list taken from xmlenc), but all implementations
must support at least SHA256 but preferably all.

> The informative clauses can be used to explain the rationale for
> requiring SHA256?

Yes. Developers may not know that SHA1 is becoming week rather quickly.
I just read that RSA expects a successful pre-image attack on SHA1
within 5-10 years.


That _would_ render SHA1 useless for passwords.

"I AM in shape. Round IS a shape."

This is a digitally signed message part

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]