[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [office] Passwords
Dave, Dave Pawson wrote: > On 28/11/06, Patrick Durusau <patrick@durusau.net> wrote: > > >> Does anyone know if the list of hash functions posted by Florian >> (thanks!) would be considered sufficient by government agencies? Or >> common? > > > <grin/> Good thinking Patrick! > Think of the customer first. Very important. > Seems to me easier to sell a customer something they want than to try to sell them something we are interested in selling. ;-) (The latter too often being the starting point in both software and markup circles.) > Sorry, I can't help you there. > > Is this the right list to ask? > Could we use the ODF alliance website to ask? Or other lists? > > I.e. look for a list where users listen? > Asking on lists would be one place but realize that users at particular agencies probably can't say what they actually use. ;-) I did search around and http://csrc.nist.gov/, the Computer Security Division of NIST looked like a good starting point. That lead to the Cryptographic ToolKit, http://csrc.nist.gov/CryptoToolkit/, and thence to Secure Hashing, http://csrc.nist.gov/CryptoToolkit/tkhash.html. *** March 15, 2006: *The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms.* Federal agencies *should* stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. *** In case anyone is interested, approved encryption algorithms are covered at: http://csrc.nist.gov/CryptoToolkit/tkencryption.html There is a ton of material at this site and anyone who wants to create an ODF conformant application where security is a concern will need to master a lot of requirements, some of which may be project specific. I just saw Daniel's post on Whirlpool. Are there any other "known" systems likely to be in widespread use? It occurs to me that we may want to make this extensible to accomodate anyone inside a secure environment that may have a method we are not going to list. To be sure it would not be generally interoperable but that is not really a consideration inside a secure environment. Hope you are having a great day! Patrick > > regards > > -- Patrick Durusau Patrick@Durusau.net Chair, V1 - Text Processing: Office and Publishing Systems Interface Co-Editor, ISO 13250, Topic Maps -- Reference Model Member, Text Encoding Initiative Board of Directors, 2003-2005 Topic Maps: Human, not artificial, intelligence at work!
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]