Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:
Why is anyone going to move from SHA-2 to SHA-3 ?
There isn't one. As a result of the SHA-3 competition, we now know that SHA-2
is a lot stronger than people had originally thought (based on its SHA-1
heritage). So the real winner of the SHA-3 competition was SHA-2.
For OpenPGP, I think the case for 512 only or 256 and 512 is pretty strong.
The case for -256 only is that it's no worse than -512 but half the size.
This is particularly egregious for things like TLS and SSH, where you have to
use an idiotic-length 64-byte MAC if you want to protect a single-byte
keystroke. It's less so for PGP and S/MIME where you're not sending a
constant stream of packets all unnecessarily bloated up by 64 bytes, but it's
still pointless.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp