Should we settle on one SSL implementation?

Oisin Feeley oisin.feeley at
Sat Oct 27 16:16:27 UTC 2007

On 10/24/07, Bernardo Innocenti <bernie at> wrote:
> On 10/24/07 13:09, Alan Cox wrote:


> > Which presumably means they'll not be using SHA1 much longer - right ?
> Uh?  I wasn't aware SHA1 has been broken (at least, not in
> a practically exploitable way).

It hasn't ... yet.  But the US government is mandating that it not be
used after 2010, so anyone wanting to be able to fulfill that needs to
plan now how to make the transition:

"March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should
stop using SHA-1 for digital signatures, digital time stamping and
other applications that require collision resistance as soon as
practical, and must use the SHA-2 family of hash functions for these
applications after 2010."

Best wishes,

Oisin Feeley

More information about the fedora-devel-list mailing list