[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SHA-256 for SAML?
RL 'Bob' Morgan wrote on 2009-07-29: > I suppose there must have been discussion about this in the past, but > someone asked me: > > We?re wondering whether there?s a specification that enables SAML 2.0 to > use SHA-256 rather than SHA-1, since SHA-1 is being deprecated for crypto > strength reasons. It seems that right now SHA-1 is baked into the SAML > spec. > > I believe the answer is "no" (per section 5.4.1 of saml-core). That language should have been moved into conformance, it's pretty much an errata, I would say. It's not even useful for conformance, since it's a SHOULD, so it probably ought to just be yanked. > Presumably the followup question is: is the SSTC working on what people > tend to call "crypto algorithm agility" so the transition to new signature > and encryption methods can be managed going forward? I think the answer > to that is "no" too, though maybe some of the recent XML signature > revision discussion has a bearing on that. That's also entirely about conformance, of course. The XML Signature changes that are coming do include changes to the recommended and MTI algorithms, but the spec as a whole is still algorithm agnostic, and thus SAML is too. So, RSA-SHA256 is certainly allowed already. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]