On Sat, Sep 19, 2009 at 11:50:35AM -0400, Andrew Dunstan wrote: > > > David Fetter wrote: >> I suggest that we start by putting secure hashing algorithms into the >> core distribution so, should MD5 ever break, we have real >> alternatives, and not done in a panic. > > Doing that now would be quite premature. Which algorithm would we choose? > > And there is no urgency at all about it, since AIUI an attack on our use > of it would require a preimage attack: > > At the time of this writing, there are no practical preimage > attacks, meaning that if your use of hashes is only susceptible to > preimage attacks, even MD5 is just fine because at attacker would > have to make 2^128 guesses, which will be infeasable for many > decades (if ever). (quoted from <http://www.vpnc.org/hash.html>) > > > The time for us to look at this again is more properly when the NIST > SHA-3 competition ends, I believe. That's at least a couple of years > away. See <http://csrc.nist.gov/groups/ST/hash/timeline.html>
OK > As for the suggestion that we should put other crypto functions into > the core, AIUI the reason not to is not to avoid problems with US > Export Regulations (after all, we've shipped source tarballs with > it for many years, including from US repositories), but to make it > easier to use Postgres in places where use of crypto is illegal. To date, I have not found an example of such a place. For the record, would you or anyone seeing this be so kind as to provide one, along with some kind of evidence that somewhere, such a law has actually been enforced? > What benefit would we gain from making general crypto part of the > core? People may wish to encrypt things in the database. Cheers, David. -- David Fetter <da...@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fet...@gmail.com Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
