On Mon, Sep 18, 2006 at 05:39:14PM -0700, Jon Callas wrote:
So -- my question for the WG: Is this alright with you? I want to get
2440bis done. I think that answers the perception that SHA-1 isn't
good enough, without causing us to do a lot of work. If y'all think
this is good, I'll do it in the next few days.
What troubles me is that this is attempting to fix a perceived problem
that isn't really a problem. Fixing perceived problems is sometimes
harder than fixing real ones. For example, if the mere use of SHA-1
is the problem, there are also a number of other places where SHA-1 is
hardcoded (which aren't a problem either) that aren't "resolved" by
this.
It will take a very long time (at least a year, if not longer) before
a MDC2 and MDC3 are widely supported, and until then we run the risk
of interoperability problems. It probably won't be as bad as some of
the interoperability problems in the past as the preferences and
feature flags are more widely implemented now, but it's still a change
with the usual risks of change.
I suggest we at least push back a little bit, and send your excellent
explanation of the issue to the appropriate people at the IESG. After
that, if they still want a hash upgrade, I will not object.
David