On 10/24/07, Bernardo Innocenti <bernie@xxxxxxxxxxx> wrote: > On 10/24/07 13:09, Alan Cox wrote: [snip] > > Which presumably means they'll not be using SHA1 much longer - right ? > > Uh? I wasn't aware SHA1 has been broken (at least, not in > a practically exploitable way). It hasn't ... yet. But the US government is mandating that it not be used after 2010, so anyone wanting to be able to fulfill that needs to plan now how to make the transition: "March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010." http://csrc.nist.gov/groups/ST/hash/policy.html Best wishes, Oisin Feeley -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
