Rumors aside, there is no published break of SHA-1. Even SHA-0 isn't fully
broken. People will continue to work on SHA-1 so it might break one of
these years, but I will still recommend using it.
- Carl
-----Original Message-----
From: owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-openpgp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Lutz
Donnerhacke
Sent: Saturday, August 21, 2004 3:14 PM
To: ietf-openpgp(_at_)imc(_dot_)org
Subject: Re: MD5 warning
* David Shaw wrote:
On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote:
Not necessary. All known attacks does not impose a direct
risk to md5 based
OpenPGP issues.
True, but would you recommend using MD5 these days?
No. I won't recommend any hash solely based on bit-logic and modular
arithmetic these days.
The time to deprecate it is before it is completely broken, and the
attacks do pose a direct risk.
OpenPGP recommends SHA1. I'm feeling bad with this, but this
is not the
subject of discussion.
MD5 showed some signs of weakness a few years ago. A few
days ago, it
showed some pretty serious problems. Let's let it go now
while it is
relatively easy to do so.
MD5 shares some weaknesses with other hash algorithms. Don't
blame MD5 alone.
In section 9.4, add a note indicating that hash algorithm 1 is MD5,
but MD5 is deprecated, and SHOULD NOT be used.
So please add "SHA1 MAY NOT be used."