Eric Rescorla wrote:
Marsh Ray wrote:
I think he's arguing that anything cut down to 96 bits represents a lousy
hash function allowing practical collisions on today's hardware.
Perhaps, but this isn't a digest but rather a MAC, and so the attack
model is different.
You seem to be forgetting that the finished messages have been reused
for other purposes already:
RFC-5929 TLS Channel Bindings
RFC-5746 TLS extension Renegotiation indication
I'm sorry, but I think it is a bad idea to use a flawed design for
the TLS finished message by subverting the collision resistence
of stronger secure hash functions that are used for the PRF.
Ietf mailing list