On 28/11/06, Daniel Carrera <dani...@zmsl.com> wrote:
That's a good idea, though I note that since this spec was written some
new attacks on SHA1 have appeared. Is it possible to say "use xmlenc
_except_ we change SHA256 from RECOMMENDED to REQUIRED"?
It seems appropriate to "require" at least one hash which, at the time
of writing, "has no known attacks".
Good idea? Bad idea?
How about adding some flexibility for implementors.
I.e. list a few acceptable encryption algorithms, then require
that an implementation record the one used, which then
means that other implementations can use a number of algorithms
and we can have interop?
The informative clauses can be used to explain the rationale for