Jon Callas wrote:
I think we ought to keep it with the same algorithm number.
I'm happy to put in SHA-224 (meaning it's trivial work), but I don't
like it, myself. The reason is that SHA-224 is really a truncated
SHA-256. Thus, it has no advantages over SHA-256 except being smaller by
32-bits with 112 bits of security. The reason it exists at all is for
crypto-balance with 2-key 3DES (which is not TDEA), which we don't allow
at all.
<pedantic>
3-key DES also has a strength of 112 bits.
</pedantic>
I don't think we should have it as it goes against our
principles of wanting a minimum of 128-bits of security in OpenPGP.
(Yes, yes, I know that SHA-1 doesn't meet this either, but until
SHA-256, we didn't have many options. That doesn't mean the principle is
wrong; we *have* options.)
Jon
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff