ISSUE-22
Is SHA1 good enough?
Is sha1 as a DigestMethod strong enough for Widgets digital signatures?
- State:
- CLOSED
- Product:
- Widgets
- Raised by:
- Josh Soref
- Opened on:
- 2008-06-27
- Description:
The widgets 1.0: Digital Signature specification currently mandates that the DigestValue be calculated using RSA-SHA1(and indicated as such by the DigestMethod). However, weaknesses have been found in SHA1 [1]. So would some other DigestMethod be more appropriate? does it really matter that SHA1 has been "broken" for this use case? [1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
- Related Actions Items:
ACTION-228 on Arthur Barstow to Ask the XML Sec WG "what algorithm do you recommend we use and what identifier should we use for it?" - due 2008-09-03, closed- Related emails:
- Re: ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong enough for Widgets digital signatures? (from art.barstow@nokia.com on 2008-11-03)
- Widgets digital signatures, off-list discussion about requirements and algorithms. (from tlr@w3.org on 2008-09-26)
- Seeking feedback regarding Widgets Digital Signatures spec (from art.barstow@nokia.com on 2008-09-26)
- [widgets] Minutes from 25 September 2008 Voice Conference (from art.barstow@nokia.com on 2008-09-25)
- [widgets] Agenda for 25 September 2008 Voice Conference (from art.barstow@nokia.com on 2008-09-24)
- ISSUE-22 (Is SHA1 good enough?): Is sha1 as a DigestMethod strong enough for Widgets digital signatures? (from sysbot+tracker@w3.org on 2008-06-27)
Related notes:
2008-11-03 12:58:04: Closed. See:
<http://lists.w3.org/Archives/Public/public-webapps/2008OctDec/0230.html> [Arthur Barstow]
Changelog:
2008-06-27 06:02:02: Created issue 'Is sha1 as a DigestMethod strong enough for Widgets digital signatures?' nickname Is SHA1 good enough? owned by Josh Soref on product , description 'The widgets 1.0: Digital Signature specification currently mandates that the DigestValue be calculated using RSA-SHA1(and indicated as such by the DigestMethod). However, weaknesses have been found in SHA1 [1]. So would some other DigestMethod be more appropriate? does it really matter that SHA1 has been "broken" for this use case? [1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html' non-public [Marcos Caceres]
2008-07-15 12:47:30: Product changed to Widgets [Arthur Barstow]
2008-07-15 12:49:14: Status changed to 'open' [Arthur Barstow]
2008-11-03 12:58:04: Status changed to 'closed' [Arthur Barstow]