[reportlab-users] UC fips compliant
Claude Paroz
claude at 2xlibre.net
Tue Sep 21 12:34:09 EDT 2021
Le 21.09.21 à 18:13, Tim Roberts a écrit :
> Satchell Julian via reportlab-users wrote:
>>
>>
>> SHA-1 is no longer recommended, as collision attacks on it are well
>> known. Minimum is something in the SHA2 family, depending on strength
>> / length requirement.
>>
> Well, you have to balance the cost against the risk. With one
> exception, MD5 is not used in a security context within ReportLab. It's
> just a hash algorithm. There is no "attack vector", and there are no
> secrets being protected. For those uses, even SHA1 is overkill, and
> SHA2 is vast overkill.
Also note the new usedforsecurity argument added in Python 3.9:
https://docs.python.org/3/library/hashlib.html#hashlib-usedforsecurity
That could help for FIPS compliance. See also the ticket and patch
discussing the same topic for Django:
https://code.djangoproject.com/ticket/28401
https://github.com/django/django/pull/14763/
Claude
More information about the reportlab-users
mailing list