RE: [saag] RE: No need for SHA-2 Packet Authentication - Open Let ter to the WG a nd Area Directors

["Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>]

This discussion is futile.

If USG want to make a requirement in this area it is up to the USG to make
the request to the working group, in particular it is the responsibility of
NIST which has the primary responsibility for liasing with standards
organizations.


	Phill

> -----Original Message-----
> From: RJ Atkinson [mailto:rja@xxxxxxxxxxxxxxxxxxx]
> Sent: Monday, July 22, 2002 6:14 PM
> To: Hallam-Baker, Phillip
> Cc: IPSec Working Group; SAAG
> Subject: Re: [saag] RE: No need for SHA-2 Packet Authentication - Open
> Let ter to the WG a nd Area Directors
> 
> 
> 
> On Monday, July 22, 2002, at 01:39 , Hallam-Baker, Phillip wrote:
> > Given that the only party for whom SHA-256 use is 
> postulated as being
> > mandated is the US federal government, has anyone from the 
> US federal 
> > govt.
> > actually stated that they intend to make SHA-256 a requirement over 
> > SHA-1?
> 
> Yes.  I've heard from USG folks that NIST will be making 
> SHA-256 a FIPS
> requirement (in at least some situations).  I don't know whether or 
> claim that
> such a decision would necessarily mean deprecating SHA-1.  My own 
> assumption
> is that more than one hash could co-exist, each with its own uses.
> 
> > My understanding is that the new SHA hashes are 
> supplemental to SHA-1 
> > and
> > that the accreditation for SHA-1 is unaffected (at least for the
> > moment).Certainly one would hope to see DSA updated before SHA-1 is
> > withdrawn!
> 
> Requiring FOO in some applications would not necessarily imply 
> deprecating BAR.
> I think you are coupling things together that are not 
> necessarily coupled
> in the quoted text above.
> 
> But, as I noted originally, USG customers might prefer SHA-256 over 
> SHA-1-bis
> regardless of what the IETF says is an IETF standard.
> 
> Ran
> rja@xxxxxxxxxxxxxxxxxxx
>