On Wednesday 24 September 2008 01:30:15 Paul Hoffman wrote: > At 4:23 PM -0700 9/23/08, Nelson B Bolyard wrote: <snip> > >There also products today that cannot handle SHA-2 hashes, and that limit > >RSA key/signature sizes to 2k bits. I would not advise any CA to limit > >itself to those limits just for those few straggling products.
The problem for CAs is... If potential customers for certificates find out that CA 1's certificates work with "those few straggling products", but CA 2's certificates don't, whose certificates do you think they're more likely to buy (assuming the prices are not wildly different)? > >Much as > >I don't like to say it, the big question is: does MSIE support it? > >If IE and FF both support SHA-2, then go for it. If users say "I have to > >switch away from <favorite browser> to MSIE to shop at site xxx.com", > >you can be sure that other products will play catch-up, quickly. > > I think it is the opposite. Last I heard, MSIE didn't support > RSA-with-SHA256 on XP but did on Vista. I heard conflicting stories > about Microsoft's intention to fix that in an XP upgrade. Others on > this list certainly know more about this than I do (and may even be > able to test it). FYI, the "Overview of Windows XP Service Pack 3" document available at... http://www.microsoft.com/downloads/details.aspx?FamilyId=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en ...says that Windows XP Service Pack 3... "Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation. This has been added to the crypto module rsaenh.dll. XP SP2 crypto modules Rsaenh.dll/Dssenh.dll/Fips.sys had been certified according to FIPS 140-1 specifications. The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard. For more information, see the Microsoft Kernel Mode Cryptographic Module." Here's the FIPS 140-2 cert: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#997 Of course, Windows XP/SP1/SP2 and Windows 2000 still don't support anything stronger than SHA-1, so we're still stuck with using RSA-with-SHA1 in order to maintain compatibility with IE5/6/7 on those platforms. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
