Re: [saag] RE: No need for SHA-2 Packet Authentication - Open Let ter to the WG a nd Area Directors

[RJ Atkinson <rja@xxxxxxxxxxxxxxxxxxx>]

On Monday, July 22, 2002, at 01:39 , Hallam-Baker, Phillip wrote:
> Given that the only party for whom SHA-256 use is postulated as being
> mandated is the US federal government, has anyone from the US federal 
> govt.
> actually stated that they intend to make SHA-256 a requirement over 
> SHA-1?

Yes.  I've heard from USG folks that NIST will be making SHA-256 a FIPS
requirement (in at least some situations).  I don't know whether or 
claim that
such a decision would necessarily mean deprecating SHA-1.  My own 
assumption
is that more than one hash could co-exist, each with its own uses.

> My understanding is that the new SHA hashes are supplemental to SHA-1 
> and
> that the accreditation for SHA-1 is unaffected (at least for the
> moment).Certainly one would hope to see DSA updated before SHA-1 is
> withdrawn!

Requiring FOO in some applications would not necessarily imply 
deprecating BAR.
I think you are coupling things together that are not necessarily coupled
in the quoted text above.

But, as I noted originally, USG customers might prefer SHA-256 over 
SHA-1-bis
regardless of what the IETF says is an IETF standard.

Ran
rja@xxxxxxxxxxxxxxxxxxx