Zooko Wilcox-O'Hearn wrote: > Thanks for the reply. Too bad you can't wait for SHA3.
Waiting for SHA-3 means waiting until 2012 and that is totally unrealistic. > Now you'll have > to think about whether new cryptanalytic results against SHA-256 mean > that SHA-256-trunc-160 is vulnerable and if so what effect that has on > the safety of your scheme. That is a risk we have to take but we aren't dependent on the truncated SHA-256 for security of the ciphertext the MAC and the trunctated SHA2-256 together provides that for us. > But, I don't have a better solution for you, other than Nico Williams's > proposal to put a MAC on only the root, which you've already rejected as > being too disruptive of a change at this point. It is yes, but it can be investigated for the future - ZFS is versioned on disk and we can thus make changes like this. -- Darren J Moffat
