I've updated the limitations section, but please let me know if I missed anything as I Am Not A Cryptographer:
"First, the big one. Keyczar generates RSA and DSA keys using SHA-1. This is a problem if you plan on using asymmetric signing (digital signatures) with Keyczar. According to SP 800-131A “SHA-1 shall not be used for digital signature generation after December 31, 2013.” This has been a bug since 2008, but has not been corrected. Arstechnica reports that a prestart collision (a tailored case where the initialization vectors are preselected) against SHA-1 was successful, and it’s expected that a SHA-1 collision would cost around $75,000 to $120,000 and several months right now… expensive for most people, but pocket change for a determined adversary.
That being said, it doesn’t mean SHA-1 itself is “broken”. There are three different things that can involve SHA-1:
SHA-1 is a cryptographic hash: it provides integrity.
HMAC-SHA1 is a hash based message authentication code: it provides integrity and authentication.
RSASSA-PSS is a digital signature: it provides integrity, authentication and non-repudiation.
A preimage attack (given a hash, find something that makes that hash) would break integrity. A second-preimage attack (given a message, find a different message with the same hash) would break authenticity. A collision attack would break non-repudiation. So, this attack would ONLY break asymmetric signing. There are references to truncated SHA-1 hashes throughout the documentation — these are integrity checks, so they’re fine. That being said… it’s not great.
Keyczar, when using symmetric signing, will only generate HMAC-SHA1, and specifying size=256 will not magically turn it into a SHA256 hash. See above."
I'm unsure of the digital signature mechanism used: I assume it's RSASSA-PSS / RFC 3560.
Will.