On Thu, 2017-02-23 at 13:58 -0500, Robert J. Hansen wrote: > > "Migrating to SHA256" > section in > the FAQ?
What I always kinda wonder is, why crypto or security experts, at least in some sense never seem to learn. When MD5 got it's first scratches, some people started to demanded for it's ASAP retirement (which didn't happen... partially also with arguments that it's not yet broken for these and that purposes in practise)... in the end people waited so long until it was in a way already too late. Remember the forged MD5 based X509 cert? And this was made by some "good guys" god know how many actual attacks may have been driven by much stronger organisations where people actually were harmed in the end. SHA1 may have been phased out (more or less) in the X.509 world, but it's still pretty present in many other places. It's known to having issues for some years and for the same number of years many experts still defended it as not being broken for these and that use cases... And now were again in the situation that it's still used in production (probably for years to come), and we have at least a collision. That may not be the one big fire alert where everything burns down... but it should be really a ringing bell... Now every time when new algos come up or e.g. when ideas for the next OpenPGP version is started,.. a big bunch of experts seem to go for the most conservative way possible. And I'm not talking about the good conservatism (i.e. using algos based on long standing and well understood math)... but rather things like let's better not use SHA512 or SHA3 when we could also just use SHA256... let's better not specify large curves when we can go by a much smaller one. And every time the same argument is brought up, that these would be still way enough to take hundreds of years to be cracked... but so far (as with SHA1) it was always broken much earlier. The last time when I followed discussion about the next OpenPGP it seemed people rather wanted to hard-wire only a few algos for everything, which would be just the same problem as with SHA1,... instead all algos should be pretty easily exchangeable. So when the same happens for the next OpenPGP version just with SHA256 I'll bet that we face the same problems with SHA256 far earlier than everyone wishes. Not to talk about the more and more realistic threat posed by quantum computers. IMO we should rather go for the stronger algos, or even combine algos when this makes sense because their underlying math is different that breaking one would still not directly affect the other. And we should rather make any crypto algo as easily exchangeable as possible. Cheers, Chris. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users