Closed iherman closed 3 months ago
Note that if we make a change on this, similar changes ought to be done in the DI spec.
Yep, just found the issue on a version of openssl that modern Macs ship... turns out that a number of openssl options aren't universally supported for anything other than sha2-256.
Agree that anything more than sha2-256 is unnecessary. No other production system at the moment, including ones approved for high security governmental use, require more than sha2-256.
Let's just remove the sha3 hashes. The file is version controlled, is date-stamped, will be static at W3C, and it will have a sha2-256 hash. That is more than enough security around the vocabulary and context files.
The issue was discussed in a meeting on 2024-03-13
PR #1459 has been raised. If that is accepted and merged, this issue can be closed.
Dotting an I, PR https://github.com/w3c/vc-data-model/pull/1459 has been merged, closing this.
The issue was discussed in a meeting on 2024-03-27
The vocabulary tables in Appendix B2 include a reference hash value for sha256 and for sha3-512. The problem is that, at least at this moment, the availability of sha3-512 is still patchy, which means that the instructions in the paragraph underneath the table fail in some? (many?) cases. (Anecdotally, I use a 3 year old MacBook Pro, with the latest verion of the OS, ie, Sonoma 14.3.1, and the
openssl
command fails on sha3. I have to install via brew and take some extra steps to get the right versions of openssl.)Personally, I am not sure why having sha3-512 is necessary for what it is used for here.