On 20 Jan 2017, at 20:57, Ruediger Pluem <rpl...@apache.org> wrote: > On 01/20/2017 05:01 PM, Eric Covener wrote: >> On Fri, Jan 20, 2017 at 10:52 AM, Yann Ylavic <ylavic....@gmail.com> wrote: >>> On Fri, Jan 20, 2017 at 4:19 PM, Dirk-Willem van Gulik >>> <di...@webweaving.org> wrote: >>>> >>>> Ok so if we had a special #ifdef for 'TRUE_MD5 and would manually >>>> tweak/mark up the 2 or 3 places >>>> that we know we need a real MD5 - we could have a 'fiddle' mode where we >>>> silently return a better 'md5' >>>> in the places where we would like to use a SHA256 but it is just too much >>>> hassle to adjust things. >>> >>> MD5 *is* MD5, preferably used (and not recommended) for >>> non-cryptographic purpose, but still I think apr_md5()'s result >>> shouldn't differ from whatelse_md5()'s. >>> >>> We can't break users silently, if they use MD5, well they have it. >> >> +1 >> > +1
Darn - I thought I would not get away with this - but had to try :). Will preserve - and am now on a path of considering a 32/128/256 bit digest which is not crypto secure and which we use for digest purposes and ones which are for interoperability & actual security (unguessable, unsyntisizable) reasons. Dw.
