Do we need sha3-512 in the vocabulary tables?

[iherman]

The vocabulary tables in Appendix B2 include a reference hash value for sha256 and for sha3-512. The problem is that, at least at this moment, the availability of sha3-512 is still patchy, which means that the instructions in the paragraph underneath the table fail in some? (many?) cases. (Anecdotally, I use a 3 year old MacBook Pro, with the latest verion of the OS, ie, Sonoma 14.3.1, and the openssl command fails on sha3. I have to install via brew and take some extra steps to get the right versions of openssl.)

Personally, I am not sure why having sha3-512 is necessary for what it is used for here.

[iherman]

Note that if we make a change on this, similar changes ought to be done in the DI spec.

[msporny]

Yep, just found the issue on a version of openssl that modern Macs ship... turns out that a number of openssl options aren't universally supported for anything other than sha2-256.

Agree that anything more than sha2-256 is unnecessary. No other production system at the moment, including ones approved for high security governmental use, require more than sha2-256.

Let's just remove the sha3 hashes. The file is version controlled, is date-stamped, will be static at W3C, and it will have a sha2-256 hash. That is more than enough security around the vocabulary and context files.

[iherman]

The issue was discussed in a meeting on 2024-03-13

• no resolutions were taken

View the transcript

#### 4.6. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455) _See github issue [vc-data-model#1455](https://github.com/w3c/vc-data-model/issues/1455)._ **Manu Sporny:** add crypto hashes to files referred to. Disagreement on whether SHA-256 is enough, then folks wanted SHA-384 then why not 512. … then why not a CLI that everyone has, then OpenSSL, but different on different platforms. … NIST guidelines, PQ in year 2035, SHA-256 good until 2035. > *Steve McCown:* FYI, Apple us launching PQ for iMessages in the near term: [https://security.apple.com/blog/imessage-pq3/](https://security.apple.com/blog/imessage-pq3/). **Manu Sporny:** so we have confirmation from NIST, so we should backoff multiple hashes. … should change all hashes across the board for SHA2-256. **Ivan Herman:** OpenSSL on Mac doesn't have SHA-3. It is possible to install alternative that has sha3, but a bit tricky... Not everyone will do that... > *Dave Longley:* i.e., no wide, default support for sha3. **Ivan Herman:** happy to write a PR if group agrees. Only when PR 1454 is merged. Don't want merge conflicts. … will write PR for DI spec to have everything aligned. **Joe Andrieu:** disagree, we shouldn't get rid of extensibility. **Manu Sporny:** to be clear a maintenance group can publish at any time. If SHA-256 is broken, many things would need to be rev'd. … many things more important that hashes of vocabulary files. This is different from the cryptography used in ECDSA, EDDSA, etc... … This is for vocabulary files. **Michael Jones:** If SHA-256 is broken, then every piece of software that uses crypto will be broken. > *Manu Sporny:* Completely agree with Mike Jones... "It'll be a frikkin' big deal" <-- YES! :). > *Dave Longley:* +1 to Mike. **Brent Zundel:** closing meeting for today, not meeting next week. Thanks. ---

[iherman]

PR #1459 has been raised. If that is accepted and merged, this issue can be closed.

[TallTed]

Dotting an I, PR https://github.com/w3c/vc-data-model/pull/1459 has been merged, closing this.

[iherman]

The issue was discussed in a meeting on 2024-03-27

• no resolutions were taken

View the transcript

#### 3.3. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455) _See github issue [vc-data-model#1455](https://github.com/w3c/vc-data-model/issues/1455)._ **Brent Zundel:** this issue can be closed.