On Mon, Oct 12, 2015 at 8:46 AM, Daniel A. Nagy
Now that SHA1 is on the brink of being broken, I believe that all
Merkle–Damgård hashes should be avoided in new designs. Keccak (SHA-3)
is just better in so many ways.
The consensus among folk who followed the SHA-3 competition more
closely that I did was that they came to understand a lot more about
SHA-2 and were much more confident about it as a result.
The strong consensus is that every application requiring a digest
should require either SHA-2 or SHA-3 and strongly recommend BOTH.
SHA-3 is a newer construction and has been chosen so that it is highly
unlikely that a single attack would defeat both. But it is not
considered 'more secure'. It is different but that only gives you an
advantage if you use both so that you can make use of the diversity.
We stopped using MD5 very quickly. Most people had dropped it before
the attack was widely known. That was possible because SSL 2.0 had
required the use of MD5 and SHA-1 to construct the MAC. So the
transition was painless. It took the platform providers much longer to
support SHA2 and when they did they refused to support any mechanism
that would make it easy to manage the transition.
Due to the way OpenPGP works, it is not possible to have a recommended
algorithm for fingerprints. Every client has to be able to process any
recommended algorithm, so recommended means 'mandatory to accept'. But
there should definitely be two algorithms to choose from.
That is why I use the first octet in UDF to serve as an algorithm
flag. It is precisely so that we can adapt if the need should arise.
We can argue as to whether we need 8 bits or could survive with 5 or
even one. But if you want to do the job properly you need to have an
The other part of UDF is constructed so that it is possible to use the
same support infrastructure for both OpenPGP fingerprints and SSH
fingerprints without any risk of unfortunate interactions.
openpgp mailing list