[reportlab-users] UC fips compliant

Tim Roberts timr at probo.com
Tue Sep 21 12:13:17 EDT 2021


Satchell Julian via reportlab-users wrote:
>
>
> SHA-1 is no longer recommended, as collision attacks on it are well 
> known. Minimum is something in the SHA2 family, depending on strength 
> / length requirement.
>
Well, you have to balance the cost against the risk.  With one 
exception, MD5 is not used in a security context within ReportLab.  It's 
just a hash algorithm.  There is no "attack vector", and there are no 
secrets being protected.  For those uses, even SHA1 is overkill, and 
SHA2 is vast overkill.

The one exception is creating a key for PDF encryption, and here they 
are restricted to the standard.  They can't arbitrarily change the 
algorithm.

-- 
Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20210921/e0632fd4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3389 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://pairlist2.pair.net/pipermail/reportlab-users/attachments/20210921/e0632fd4/attachment.bin>


More information about the reportlab-users mailing list