On 30/07/2024 21:57, Tim Düsterhus wrote:
Let me attempt to give an explanation. As of today users should use in
order of priority:
1. The hash function they need for interoperability: If a service
provides a SHA-1 checksum, then there is no choice and SHA-1 needs to
be used.
2. The hash function their security team requests them to use.
3. A function from the SHA-2 family, with SHA-256 being a good default
choice, because that's the secure default choice across the industry.
Thanks, this is a good concise explanation, and exactly the kind of
thing I think should be in the documentation *before* we start telling
people they're "doing it wrong" by using md5() or sha1().
It also strengthens my conviction that we should add sha256() and
sha256_file() as standalone functions: a "good default choice" is really
all most users want or need. There seems to be no risk of us needing to
add a new function every other year, or provide a dozen functions to
cover different use cases.
Users in scenarios 1 or 2 will know what to look up in the hash_algos()
list and pass to hash(). Users who have complex use cases like
incremental hashing, or whatever hash_hkdf() does, can keep using the
complex but flexible functions that provide those facilities.
Note that if SHA-256 ever stops being the recommendation, having a
sha256() function will give us the same opportunity we have now with
md5() and sha1(): to issue a message to users of the standalone
function, but keep the algorithm fully available in hash().
Regards,
--
Rowan Tommins
[IMSoP]
