Also, but I likely missed the relevant WG thread, why truncate the
fingerprint to 200 bits? (Not that this is likely an issue.)
That was a suggestion from the Berlin meeting.
Can you (or someone else) give some more insight on the requirements
that were identified as a basis for this suggestion?
The SHA-3 contest reaffirmed that SHA-2 is doing just fine in terms of
cryptanalysis, so 160 bits truncated SHA-2 would be just fine even if we
consider strong collision resistance a requirement. But we had this
topic before, and from what I remember noone was able to come up with an
attack scenario where a collision would be useful in any way. Still the
idea now is to add another 40 bits on top?
- V
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp