On Fri, Sep 27, 2002 at 03:50:54PM +0000, Brian M. Carlson wrote:
I think it would be the height of silliness to have an algorithm in
the standard and prohibit its use. In fact, it is like revoking your
signature on someone's key: it is a vote of no confidence, a statement
that it is worthless.
Of course, but OpenPGP is sensitive to the strengths of all of its
hash algorithms (as noted in the "Security Considerations" section).
If TIGER was put into the standard with less care because it couldn't
be used anyway without an OID, then now is an appropriate time to
decide whether it should be in the standard or not. Mind you, I don't
know the history here - there could have been significant care taken.
I'm not for or against using TIGER in OpenPGP, but my feeling is that
if we are going to include TIGER, then we should do it intentionally,
with all due care taken.
David
--
David Shaw | dshaw(_at_)jabberwocky(_dot_)com | WWW
http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson