Hashing Algorithms Allowed


#1

Is it currently allowed for someone to choose their certificate to be signed using SHA-384 or SHA-512 yet? Are there plans to do so? If yes, approximately when?

@jsha Do you have any information?


#2

It’s not on the roadmap at the moment.


#3

it would be great that if the algo is good (sha2) that it would just take the one from the CSR (I always make my CSRs SHA512)


#4

It’s debatable whether this is correct or not. I once had the same question:

I came to the conclusion that it’s not a very good idea. Just to give you an example, gnutls shipped on most of ubuntu distributions are only capable of signing a CSR with SHA1. While this is fine for a CSR and generally irrelevant, as we all know SHA1 certificates are deprecated.

Therefore, reusing the same algorithm of the CSR may not be a good idea (and it can also cause unexpected and unintentional issues to less technical users).


#5

I said IF the algo is good.

for bad algos just fall back to sha256 or whatever the default will be.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.