Hi all, MD5 has been broken about half a year ago and now it seems as if SHA-1 was gone as well[1].
JDK 1.2 and 1.3[2] only list MD2 as alternatives while JDK 1.4 adds[3] SHA-256, SHA-384, and SHA-512. MD2 doesn't look better than MD5 and the longer SHA variants aren't available on older JDKs. To me it almost looks as if we should recommend to not use <checksum> for any security related stuff at all, but rely on PGP and similar measures. In particular we probably shouldn't create MD5 checksums for the next Ant release since they've become useless and people need to go the PGP route more than ever to really trust our downloads. Stefan Footnotes: [1] http://www.schneier.com/blog/archives/2005/02/sha1_broken.html [2] http://java.sun.com/j2se/1.3/docs/guide/security/CryptoSpec.html#AppA [3] http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA [4] http://en.wikipedia.org/wiki/MD2#Security --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
