re:[pki-tc] Re: Hash Research (was RE: [pki-tc] Bridge CA update?)

[Stephen Wilson <swilson@lockstep.com.au>]

Furthermore, I thought that NIST's very recent report more or less said 
that the problem remains academic.  The issue is not insignificant, to be 
sure, but it is not expected to have practical ramifications on 
implementers (i.e. most of the TC as Arshad points out) for the forseeable 
future. 

See http://csrc.nist.gov/pki/twg/y2004/Presentations/twg-04-14.pdf

Cheers, 

Stephen (the possible optimist).


Stephen Wilson
Lockstep Consulting Pty Ltd
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert 
Stephen Wilson, to provide independent advice and analysis on cyber 
security policy, strategy, risk management, and identity management.  
Lockstep is also developing unique new smartcard solutions to address 
privacy and identity theft. 
Contact swilson@lockstep.com.au. 

> This could be for a couple of reasons, John:
>  
> 1) That this group is focused more on implementation and use of PKIs, 
whereas hashingmight be of greater interest to mathematicians and 
cryptographers.  This is not to saythat these two groups are not 
interested in PKIs or that this group is not interested inthe hashing 
collision problem.  But speaking for myself as a builder of PKIs, I'm 
notterribly interested in the composition of the "materials" so long as 
there is generalconsensus in the PKI industry about the efficacy of 
one "material" over another, and thatthere are other experts focused on 
finding the right "materials" for constructing thesethings;
> 
> 2) That only MD5 has been shown to have collisions, while SHA-1 has not -
 which is whatmost PKIs tend to use nowadays.  In any case, as SHA-256, 
SHA-384 and SHA-512 getimplemented in PKI software products and 
applications, they will become the implementationstandard moving further 
away from the MD5 collision problem.  Now if the Secure HashingAlgorithm 
itself had problems with it, that might be another matter altogether....
> 
> Arshad Noor
> StrongAuth, Inc.
> 
>  
> ----- Original Message -----
> From: John Messing <jmessing@law-on-line.com>
> Date: Tuesday, January 25, 2005 7:14 am
> Subject: RE: [pki-tc] Bridge CA update?
> 
> > It seems to me that in addition to or in lieu of Bridge analyses, this
> > group should consider developments around intentional hash collisions
> > and the research being done about them, and the effects upon the 
> > futureof digital signatures and PK.
> > 
> > I may have missed something, but I do not recall the matter even being
> > discussed by the group yet.
> > 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of 
the OASIS TC), goto http://www.oasis-open.org/apps/org/workgroup/pki-
tc/members/leave_workgroup.php.
> 

--
<Put email footer here>