Should SHA512 really be used for the digest?

cchandler / certificate_authority

Ruby gem for managing the core functions outlined in RFC-3280 for PKI

https://github.com/cchandler/certificate_authority

194 stars 44 forks source link

Should SHA512 really be used for the digest? #9

Closed johnae closed 12 years ago

johnae commented 13 years ago

I've encountered software that doesn't understand this and won't work with the generated certificates (in my case RabbitMQ which I guess is really a possible problem with the erlang ssl library). Anyway, why doesn't certificate_authority default to SHA1?

cchandler commented 12 years ago

Wow, this apparently got lost in my email!

There's no strongly technical reason that SHA512 is used by default aside from that it's the widest largely-available hash. All my reference implementations supported 512 but I could make it configurable to use SHA1 as a fallback option.

cchandler commented 12 years ago

This now configurable in the outer-most part of a signing_profile. You can call sign!({"digest" => "SHA1"}) as long as the string resolves to a correct OpenSSL digest.