On Tue, Mar 8, 2011 at 10:45 AM, Martin Rex <[email protected]> wrote: > Eric Rescorla wrote: >> >> Marsh Ray wrote: >> > >> > I think he's arguing that anything cut down to 96 bits represents a lousy >> > hash function allowing practical collisions on today's hardware. >> >> Perhaps, but this isn't a digest but rather a MAC, and so the attack >> model is different. > > You seem to be forgetting that the finished messages have been reused > for other purposes already:
No, I'm not forgetting that. That doesn't change the fact that the computation is a MAC. > RFC-5929 TLS Channel Bindings > RFC-5746 TLS extension Renegotiation indication > > > I'm sorry, but I think it is a bad idea to use a flawed design for > the TLS finished message by subverting the collision resistence > of stronger secure hash functions that are used for the PRF. Yes, I realize you think that, but until you offer a cryptographic argument for that opinion I guess we're just going to have to disagree. -Ekr _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
