On 12 April 2018 at 12:41, Georg Koppen gk@torproject.org wrote:
Tom Ritter:
On 5 April 2018 at 09:39, Mark Smith mcs@pearlcrescent.com wrote:
The reason Mozilla chose SHA384 over SHA512 is reduced vulnerability to length extension attacks.
This decision was made without the crypto people at Mozilla being involved. We considered it unnecessary and SHA512 would have been fine; but whatever we're not going to change it again for vanity.
Reading through the bug it seems crypto people were consulted, no?
Security people were consulted, but not cryptographers. :)
Either way, I wonder what https://bugzilla.mozilla.org/show_bug.cgi?id=1105689#c52 implies
("Keep in mind that the implementation design that was created with the security team for this required that we use the system provided crypto instead of NSS if at all possible.")
because three years ago I said at least that we are using NSS on all platforms. Looking at the changes for SHA-348, though, it seems they don't change the game for us or am I missing anything?
That is a bit confusing. I wonder if that comment refers to generating the keys as opposed to validating the signatures. Either way I'm not sure..
-tom