Change digital signature algorithms to use SHA256 #17
Comments
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by
|
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Original comment by |
Putting together some references to track this bug... Discussion:
SHA-1 prestart collision attack and Arstechnica link:
SP 800-131A "SHA-1 shall not be used for digital signature generation after December 31, 2013" |
This one is very sad that it has sat so long, while the pull request wasn't complete, it was pretty close, see comments: For reference, a functioning keytype in C# fixed for this issue ( added in the unofficial namespace since since it doesn't exist in other keyczars). |
@jbtule From the pull request it looks like stylistic changes at best. How come it didn't make it? |
@wsargent A bit more than stylistic, they were things that needed adjusted security wise, like for the digest algorithm being chosen, and for interoperability such as the key representation in json file and how the key material should be hashed to identify it. However, you are right in that these things were pretty trivial and identified in the review, and were (and still are) easy to fix. |
Original issue reported on code.google.com by
stevew...@gmail.com
on 12 Aug 2008 at 5:46The text was updated successfully, but these errors were encountered: