[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SHA 1 vs. SHA 256 for Root CA

To: "ROGER YOUNGLOVE" <ryounglove1@xxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: SHA 1 vs. SHA 256 for Root CA
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Mon, 29 Jan 2007 07:58:37 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <BAY106-F33A6ECAF0FBDCF9F789787FCA70@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcdDvaW4LeDrOGIfR2O+cuL4yOjk5AAAGOXg
Thread-topic: SHA 1 vs. SHA 256 for Root CA

I do not see a problem with using SHA-1 for a self-signed certificate.
A self-signed certificate is vulnerable to modification and substitution
and hence must be protected using other means while stored or
communicated.

Thus, SHA-1 for self-signed root is fine.  SHA-256 will not protect it
any better.

You can not say the same about the certificates issued by the Root. 

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of ROGER YOUNGLOVE
Sent: Monday, January 29, 2007 9:39 AM
To: ietf-pkix@xxxxxxx
Subject: SHA 1 vs. SHA 256 for Root CA


We are standing up a number of CAs (Selfsigned Root, Policy and
Issueing).
The question has come up with the Microsoft CA product we have the
ability 
to chose SHA 1, SHA 256, SHA 512. i believe that SHA1 is not sufficent
for a 
20 year root CA lifespan. I need expert support for moving to SHA 256 at
a 
minimum.

Roger Younglove
Principal Consultant
Ford Motor Company

References:
- SHA 1 vs. SHA 256 for Root CA
  - From: ROGER YOUNGLOVE

Prev by Date: Rss Unleash List Msn
Next by Date: RE: SHA 1 vs. SHA 256 for Root CA
Previous by thread: SHA 1 vs. SHA 256 for Root CA
Next by thread: RE: SHA 1 vs. SHA 256 for Root CA
Index(es):
- Date
- Thread