Hal Finney wrote:
James Couzens writes:
I had thought it a bit strange that someone writing so comprehensively
about something related to digital signatures and to then make the
statement as you did at the end of the paragraph I quoted. Did you have
some other intended meaning, such as broken by draft explicit
prohibition or otherwise declared deprecated in a future draft?
Yes, sorry, my language was not as precise as it might have been.
I said we should be ready in case SHA-1 were broken, but as you note
it has been officially "broken" for over a year. However that is just
a theoretical break and no actual examples of SHA-1 message collisions
have yet been published. So at this point SHA-1 is in a bit of a limbo
state, theoretically broken but still in widespread use.
Its also worth noting that reducing the collision resistance to 2^69
still leaves it stronger than unbroken MD5 and is still well within the
realms of hardness we require.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff