SHA-1 (was RE: MD5 warning)

["Carl Ellison" <cme@xxxxxxx>]

Rumors aside, there is no published break of SHA-1.  Even SHA-0 isn't fully
broken.  People will continue to work on SHA-1 so it might break one of
these years, but I will still recommend using it.

 - Carl 

> -----Original Message-----
> From: owner-ietf-openpgp@xxxxxxxxxxxx 
> [mailto:owner-ietf-openpgp@xxxxxxxxxxxx] On Behalf Of Lutz Donnerhacke
> Sent: Saturday, August 21, 2004 3:14 PM
> To: ietf-openpgp@xxxxxxx
> Subject: Re: MD5 warning
> 
> 
> * David Shaw wrote:
> > On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote:
> >> Not necessary. All known attacks does not impose a direct 
> risk to md5 based
> >> OpenPGP issues.
> >
> > True, but would you recommend using MD5 these days?
> 
> No. I won't recommend any hash solely based on bit-logic and modular
> arithmetic these days.
> 
> > The time to deprecate it is before it is completely broken, and the
> > attacks do pose a direct risk.
> 
> OpenPGP recommends SHA1. I'm feeling bad with this, but this 
> is not the
> subject of discussion.
> 
> > MD5 showed some signs of weakness a few years ago.  A few 
> days ago, it
> > showed some pretty serious problems.  Let's let it go now 
> while it is
> > relatively easy to do so.
> 
> MD5 shares some weaknesses with other hash algorithms. Don't 
> blame MD5 alone.
> 
> > In section 9.4, add a note indicating that hash algorithm 1 is MD5,
> > but MD5 is deprecated, and SHOULD NOT be used.
> 
> So please add "SHA1 MAY NOT be used."
>