ISSUE-158: Add SHA-1 warnings

Add SHA-1 warnings

State:
CLOSED
Product:
XML SIgnature 1.1
Raised by:
Frederick Hirsch
Opened on:
2009-12-14
Description:
(from email http://lists.w3.org/Archives/Public/public-xmlsec/2009Dec/0033.html )

Do we need more text in XML Signature 1.1 regarding the suitability
(or lack thereof) of SHA-1, and maybe a reference to the NIST
recommendation to use SHA2 going forward from 2010 as well as the
crypto regarding SHA-1?

We probably also need to add this to the 1.1 requirements as well.

Does anyone have a good pointer to a paper outlining why SHA-1 is no
longer suitable?

Is the suitable NIST reference the following, or is there a better one?

[[ March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should
stop using SHA-1 for digital signatures, digital time stamping and
other applications that require collision resistance as soon as
practical, and must use the SHA-2 family of hash functions for these
applications after 2010. After 2010, Federal agencies may use SHA-1
only for the following applications: hash-based message authentication
codes (HMACs); key derivation functions (KDFs); and random number
generators (RNGs). Regardless of use, NIST encourages application and
protocol designers to use the SHA-2 family of hash functions for all
new applications and protocols. ]]

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
Related Actions Items:
No related actions
Related emails:
  1. Agenda - Distributed Meeting 2010-01-19 v3 (from frederick.hirsch@nokia.com on 2010-01-19)
  2. Agenda - Distributed Meeting 2010-01-19 v2 (from frederick.hirsch@nokia.com on 2010-01-18)
  3. Agenda - Distributed Meeting 2010-01-19 (from frederick.hirsch@nokia.com on 2010-01-18)
  4. Revised Draft minutes 1/12/10, please review (from frederick.hirsch@nokia.com on 2010-01-12)
  5. Editorial update: XML Signature 1.1, XML Encryption 1.1, XML Security 1.1 Requirements (from frederick.hirsch@nokia.com on 2010-01-12)
  6. Draft minutes 1/12/10, please review (from Sean.Mullan@Sun.COM on 2010-01-12)
  7. Agenda: Distributed Meeting 2010-01-12 v2 (from frederick.hirsch@nokia.com on 2010-01-12)
  8. Agenda: Distributed Meeting 2010-01-12 (from frederick.hirsch@nokia.com on 2010-01-08)
  9. Draft minutes 2009-12-15, please review (from frederick.hirsch@nokia.com on 2009-12-15)
  10. Re: ISSUE-158: Add SHA-1 warnings [Sig11 (XML Signature 1.1)] (from Peter.SaintAndre@webex.com on 2009-12-14)
  11. Agenda: Distributed Meeting 2009-12-15 (from frederick.hirsch@nokia.com on 2009-12-14)
  12. ISSUE-158: Add SHA-1 warnings [Sig11 (XML Signature 1.1)] (from sysbot+tracker@w3.org on 2009-12-14)

Related notes:

[fjh]: closed

12 Jan 2010, 22:08:44

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 158.html,v 1.1 2017/01/10 16:24:44 carine Exp $