On Jul 29, 2013, at 3:14 PM, Donald Stufft <don...@stufft.io> wrote:
> > On Jul 29, 2013, at 2:57 PM, zooko <zo...@zooko.com> wrote: > >> I'd like to push back on the other risk, that someone might figure out how to >> make MD5 second-pre-images. I don't think this is a risk that we need to >> urgently address, and I've written a short note explaining why. This note is >> incomplete, badly edited, has not been peer-reviewed, and is not ready for >> publication, but I thought it might help folks evaluate how urgent it is to >> upgrade from MD5, so here it is. > > I don't think it's urgent to fix it, but I think it's a good security > hardening effort > with very little downside and very little chance of regression. However, as I > said if Holger, or anyone else, has a concern about the affects of adding this > bit of security hardening to give us a safety net again then I simply won't do > it in the simple API. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig Somewhat relevant to the question at hand: http://valerieaurora.org/hash.html (Yes it lists sha-2 as weakened, which it is. However sha-3 isn't widespread enough for us :( ) ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
