RE: SHA 1 vs. SHA 256 for Root CA

["ROGER YOUNGLOVE" <ryounglove1@xxxxxxx>]

Gentlemen,
Thank you for the rapid response. One thing I did not mention was that we 
are using a Micorsoft CA implentation from Windows Server 2003 EE.
We just found out that this CA product does not recognize SHA 256 or above 
even though it is an option.



TTFN
Roger Younglove





> From: "Ogle Ron" <ron.ogle@xxxxxxxxxxx>
> To: "ROGER YOUNGLOVE" <ryounglove1@xxxxxxx>, <ietf-pkix@xxxxxxx>
> Subject: RE: SHA 1 vs. SHA 256 for Root CA
> Date: Mon, 29 Jan 2007 11:22:07 -0500
>
>
> What size are you planning for your CA keys ?  If you are going to use
> RSA 1024, then SHA1 is probably ok.  Also, look at the applications that
> you will be using especially for the near future.  They may not work
> correctly with anything other than SHA1.  Later on, you could always
> re-issue your CA certs with the same keys but with the newer SHA 256
> algorithm.
>
> IMHO, go for the ease of use and interoperability than trying to ensure
> that everything is extremely secure/unbreakable.
>
> Ron Ogle
>
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of ROGER YOUNGLOVE
> Sent: Monday, January 29, 2007 9:39 AM
> To: ietf-pkix@xxxxxxx
> Subject: SHA 1 vs. SHA 256 for Root CA
>
>
> We are standing up a number of CAs (Selfsigned Root, Policy and
> Issueing).
> The question has come up with the Microsoft CA product we have the
> ability
> to chose SHA 1, SHA 256, SHA 512. i believe that SHA1 is not sufficent
> for a
> 20 year root CA lifespan. I need expert support for moving to SHA 256 at
> a
> minimum.
>
> Roger Younglove
> Principal Consultant
> Ford Motor Company