Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport

To: rwilliams at certicom.com (Rob Williams)
Subject: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
From: Martin Rex <Martin.Rex at sap.com>
Date: Mon, 10 Mar 2008 19:56:23 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <OF0C31C615.1AFB9004-ON85257408.005F41D9-85257408.0060453E at certicom.com> from "Rob Williams" at Mar 10, 8 01:30:07 pm
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com
Sender: tls-bounces at ietf.org

Rob Williams wrote:
> 
> At Thu, 06 Mar 2008 08:32:04 -0800 
> Eric Rescorla wrote:
> > > There seem to be a lot of strong feelings against SHA-224.
> > > I looked at the FIPS amendment which defines it, and it
> > > doesn't appear to be such a horrible thing.  Can someone
> > > explain how NIST got it so wrong?
> >
> > It's not *bad*. It's just unnecessary.
> 
> Agreed. 
> 
> Just as SHA-224 is to SHA-256, 
>         SHA-384 is to SHA-512: truncated with different IV.
> 
> I am looking forward to seeing SHA-384 removed from TLS 1.2.

I consider the size difference between sha-224 and sha-256 sufficiently
small to not have a significant impact on DSA signature operations.

The difference between sha-256, sha-384 and sha-512 is much larger,
and while the effort for calculating sha-384 and sha-512 might
be the same, the resource consumption on keypair and digital signature
generation for/with the DSA algorithm might make a hash with a
size between 256 and 512 bit attractive.

I don't know what the motivation is to create a seperate hash
(same underlying algorithm, different IV and truncated result)
rather than to define the truncation of the Hash within the
DSA signature generation, but I hope/guess there is some difference which
made the cryptographers come up with SHA-384.

-Martin
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
  - From: Martin Rex

References:
- Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
  - From: Rob Williams

Prev by Date: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
Next by Date: [TLS] I-D Action:draft-ietf-tls-des-idea-01.txt
Previous by thread: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
Next by thread: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport
Index(es):
- Date
- Thread

Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.