Do as I say, not as I do
So we managed to make it past the RSA conference without a new break on a major algorithm. Some people had been expecting that this would be the year that someone finally broke SHA-1, at least at the level of the compression function.
One of the more worrying issues of the debate though is when people say things like 'well you are still using SHA-1 so why the concern?' This is to miss the point.
One of the reasons that commercial cryptographic systems have proved so durable is precisely because we are so conservative in choice of algorithms. Changing a cryptographic algorithm is expensive and takes many years. So we look to deploy systems with an expected lifetime of decades.
I am certainly not going to design a new cryptographic security protocol using SHA-1 today. I would look to use SHA-256 or 512. But that does not mean that we should abandon all our existing SHA-1 based applications immediately because we would no longer sanction a new system using that design.
What we do instead is to look at each application in turn and decide whether the known algorithm compromise is significant in the context that the algorithm is used. This is tedious, time consuming work but necessary. It is not work that I would care to do for a new protocol, I am certainly not going to spend my time asking 'must we use SHA-256 here or is SHA-1 sufficient?' when building from scratch - just use the stronger algorithm and be done.
When you have a legacy base to support it is essential to know whether a new algorithm is a choice or a requirement. Fortunately for Certificate Authorities the practice of a CA is not critically dependent on the particular cryptographic properties of SHA1 (or MD5 for that matter) that have been compromised. It is still necessary to plan for SHA-256 support so that future applications can be supported but we don't need to withdraw support for existing, deployed product.
So if you are desigining a new system use the algorithm we recommend, not the one we support in legacy products with a billion users.
