On Wed, 20 Sep 2006 13:40, Anton Stiglic said:
NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
SHA-256, SHA-384 and SHA-512.
http://csrc.nist.gov/hash_standards_comments.pdf
In Canada, CSE will phase out SHA-1 for protected C information by 2008.
A note to describe why we use SHA-1 with the MDC would really be
appropriate. We are not using it for authentication but to detect
manipulation of data. This is commonly known as a checksum. Thus,
the acronym MDC and not MAC. To me detection and authentication have
different semantics.
It has been said a few times: The MDC is not what we need to care
about when thinking of SHA-1 vulnerabilities. There are other usages
of SHA-1 we need to rethink.
Over the last 8 years since rfc2440 we have talked several times about
things we want to address in the future. There is actually a long
list. We can't keep important OpenPGP features - which address actual
vulnerabilities - any longer in an I-D state just for the sake of
getting rid of SHA-1 now. We need time to address all these items
properly and not do some ad-hoc solutions. In the meantime 2440bis
needs to get out. Whether with or without an MDCv2 political option, I
don't care.
I don't know what is going on in Europe and the rest of the world, but I
would be surprised if they were going with SHA-1 in the long term.
You cannot ignore these decisions if you want openpgp to be successful.
I have not heard about any plans to switch to SHA-2. At least Germany
is still using RIPME-MD160 out of fear that SHA-1 has been developed
in the U.S. I don't think that this algorithm is any better than
SHA-1 but some people decided in the past to use an European algorithm
(another layer 9 issue).
Salam-Shalom,
Werner