On 18 Aug 2004, at 6:54 AM, <vedaal(_at_)hush(_dot_)com> wrote:
would it be reasonable to re-accept the non-sha based hashes, (e.g.
TIGER)
as a potential backup hash for implementations/users that may wish to
begin doing so?
Not really, no. There are already perfectly good backup algorithms.
The reason we removed Tiger is that it hasn't been examined or used at
all. None of these things apply to Tiger, and it is therefore still not
well examined nor used. Going from a hash function that has been
examined to one that hasn't isn't presently warranted.
SHA-1 isn't broken yet. Even the ones that have been broken haven't
been broken (yet) in ways that permit signature forging. What we know
now is that the functions we've been saying for close to a decade
shouldn't be used really shouldn't be used.
If you're worried about SHA-1, you should move to SHA-256. Don't be
scared by the fact that it's called "SHA."
If you want to do something *really* practical and good, stop using
your V3 keys. (That's the editorial you, not vedaal specifically.)
I'm sitting in the hash sessions at Crypto now, and SHA-1 isn't broken.
Again, if you still want to do something, start using SHA-256.
Jon