Werner Koch
2017-03-17 09:00:10 UTC
Hi,
Here is my suggestion on how to deprecate hash algorithms. The new text
is:
Implementations MUST implement SHA-256. Implementations MAY implement
other algorithms. Implementations MUST NOT create messages which
require the use of SHA-1 with the exception of computing version 4 key
fingerprints and for purposes of the MDC packet. Implementations MUST
NOT use MD5 or RIPE-MD/160.
Rationale below.
Salam-Shalom,
Werner
--8<---------------cut here---------------start------------->8---
From b03e6b2a2a41a724571c7aa3ad8ef134aec8f348 Mon Sep 17 00:00:00 2001
From: Werner Koch <***@gnupg.org>
Date: Fri, 17 Mar 2017 09:54:18 +0100
Subject: [PATCH] Deprecate legacy hash algorithms
MD5 has been deprecated for a long time; using MOST NOT implement is
thus due.
SHA-1 is still required to verify existing signature and can't be
deprecated. However it is not anymore a mandatory algorithm with the
exception of MDC packets which we need to support at least read-only
for the foreseeable future.
Upgrading SHA-256 to a mandatory algorithm should be obvious.
Keeping SHA-512 optional benefits implementations on low end
platforms.
---
middle.mkd | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/middle.mkd b/middle.mkd
index 874f107..25524b6 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -3078,8 +3078,11 @@ ## {9.4} Hash Algorithms
11 SHA224 [](#FIPS180) "SHA224"
100--110 Private/Experimental algorithm
-Implementations MUST implement SHA-1. Implementations MAY implement
-other algorithms. MD5 is deprecated.
+Implementations MUST implement SHA-256. Implementations MAY implement
+other algorithms. Implementations MUST NOT create messages which
+require the use of SHA-1 with the exception of computing version 4 key
+fingerprints and for purposes of the MDC packet. Implementations MUST
+NOT use MD5 OR RIPE-MD/160.
# {10} IANA Considerations
Here is my suggestion on how to deprecate hash algorithms. The new text
is:
Implementations MUST implement SHA-256. Implementations MAY implement
other algorithms. Implementations MUST NOT create messages which
require the use of SHA-1 with the exception of computing version 4 key
fingerprints and for purposes of the MDC packet. Implementations MUST
NOT use MD5 or RIPE-MD/160.
Rationale below.
Salam-Shalom,
Werner
--8<---------------cut here---------------start------------->8---
From b03e6b2a2a41a724571c7aa3ad8ef134aec8f348 Mon Sep 17 00:00:00 2001
From: Werner Koch <***@gnupg.org>
Date: Fri, 17 Mar 2017 09:54:18 +0100
Subject: [PATCH] Deprecate legacy hash algorithms
MD5 has been deprecated for a long time; using MOST NOT implement is
thus due.
SHA-1 is still required to verify existing signature and can't be
deprecated. However it is not anymore a mandatory algorithm with the
exception of MDC packets which we need to support at least read-only
for the foreseeable future.
Upgrading SHA-256 to a mandatory algorithm should be obvious.
Keeping SHA-512 optional benefits implementations on low end
platforms.
---
middle.mkd | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/middle.mkd b/middle.mkd
index 874f107..25524b6 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -3078,8 +3078,11 @@ ## {9.4} Hash Algorithms
11 SHA224 [](#FIPS180) "SHA224"
100--110 Private/Experimental algorithm
-Implementations MUST implement SHA-1. Implementations MAY implement
-other algorithms. MD5 is deprecated.
+Implementations MUST implement SHA-256. Implementations MAY implement
+other algorithms. Implementations MUST NOT create messages which
+require the use of SHA-1 with the exception of computing version 4 key
+fingerprints and for purposes of the MDC packet. Implementations MUST
+NOT use MD5 OR RIPE-MD/160.
# {10} IANA Considerations
--
2.8.1
--8<---------------cut here---------------end--------------->8---
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
2.8.1
--8<---------------cut here---------------end--------------->8---
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.