On 9/20/06, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Wed, 20 Sep 2006 13:40, Anton Stiglic said:
> NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
> SHA-256, SHA-384 and SHA-512.
> http://csrc.nist.gov/hash_standards_comments.pdf
>
> In Canada, CSE will phase out SHA-1 for protected C information by 2008.
A note to describe why we use SHA-1 with the MDC would really be
appropriate. We are not using it for authentication but to detect
manipulation of data. This is commonly known as a checksum. Thus,
the acronym MDC and not MAC. To me detection and authentication have
different semantics.
It has been said a few times: The MDC is not what we need to care
about when thinking of SHA-1 vulnerabilities. There are other usages
of SHA-1 we need to rethink.
And that reasoning should be in 2440bis.
I think it's too early to get excited about politics. The issue is
much simpler - non-experts are in no position to 'evaluate' OpenPGP's
use of SHA-1, they depend on the opinion on experts whether an algorithm
is generally secure.
So if 2440bis wants to appear secure by today's standards (for
general public), it needs to either use generally known safe algorithms
or explicitly document that the weaknesses in older algorithms it uses
are taken account of.
--
marko