Yep, and IMHO picking a hash function with a different inner structure
from SHA-1, and designed to address the issue coming with it, such as
SHA-3 may quite be a good idea.
I feel like a churl for observing this, but the history of
Merkle-Damgård hashes is really not very good. MD4, MD5, SHA-0, SHA-1,
RIPEMD, and probably RIPEMD-160 and/or RIPEMD-128.
Some of this is because these are popular hash functions and as a result
have received the most cryptanalysis. But part of me wonders if now
would not be an excellent time to introduce a non-Merkle-Damgård hash to
OpenPGP, in the hopes that maybe it will fare better.
openpgp mailing list