-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do we need sha3-512 in the vocabulary tables? #1455
Comments
Note that if we make a change on this, similar changes ought to be done in the DI spec. |
Yep, just found the issue on a version of openssl that modern Macs ship... turns out that a number of openssl options aren't universally supported for anything other than sha2-256. Agree that anything more than sha2-256 is unnecessary. No other production system at the moment, including ones approved for high security governmental use, require more than sha2-256. Let's just remove the sha3 hashes. The file is version controlled, is date-stamped, will be static at W3C, and it will have a sha2-256 hash. That is more than enough security around the vocabulary and context files. |
The issue was discussed in a meeting on 2024-03-13
View the transcript4.6. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455)See github issue vc-data-model#1455. Manu Sporny: add crypto hashes to files referred to. Disagreement on whether SHA-256 is enough, then folks wanted SHA-384 then why not 512.
Manu Sporny: so we have confirmation from NIST, so we should backoff multiple hashes. Ivan Herman: OpenSSL on Mac doesn't have SHA-3. It is possible to install alternative that has sha3, but a bit tricky... Not everyone will do that...
Ivan Herman: happy to write a PR if group agrees. Only when PR 1454 is merged. Don't want merge conflicts. Joe Andrieu: disagree, we shouldn't get rid of extensibility. Manu Sporny: to be clear a maintenance group can publish at any time. If SHA-256 is broken, many things would need to be rev'd. Michael Jones: If SHA-256 is broken, then every piece of software that uses crypto will be broken.
Brent Zundel: closing meeting for today, not meeting next week. Thanks. |
PR #1459 has been raised. If that is accepted and merged, this issue can be closed. |
Dotting an I, PR #1459 has been merged, closing this. |
The issue was discussed in a meeting on 2024-03-27
View the transcript3.3. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455)See github issue vc-data-model#1455. Brent Zundel: this issue can be closed. |
The vocabulary tables in Appendix B2 include a reference hash value for sha256 and for sha3-512. The problem is that, at least at this moment, the availability of sha3-512 is still patchy, which means that the instructions in the paragraph underneath the table fail in some? (many?) cases. (Anecdotally, I use a 3 year old MacBook Pro, with the latest verion of the OS, ie, Sonoma 14.3.1, and the
openssl
command fails on sha3. I have to install via brew and take some extra steps to get the right versions of openssl.)Personally, I am not sure why having sha3-512 is necessary for what it is used for here.
The text was updated successfully, but these errors were encountered: