Probably should have sent this to the list in general. I think it's a serious
question if SHA-224 offers any benefit in *any* environment. Are people
seriously rolling out new systems (with new algorithms, such as
SHA-{224,256,384,512}) that are still using 3DES? Seems a bit counterintiutive
(to me) to be changing the hash and not go ahead and swap in AES while you're
at it. If someone really want this and wants it RFCized, then fine, I just
don't see the logic behind it.
In particular, why should the strength of a signature be tied to the strength
of encryption which might be used in the same system? I don't see these as
being logically paired.
-Jack
----- Forwarded message from Jack Lloyd <lloyd@xxxxxxxxxxxxx> -----
From: Jack Lloyd <lloyd@xxxxxxxxxxxxx>
To: Paul Hoffman / IMC <phoffman@xxxxxxx>
Date: Mon, 29 Mar 2004 11:07:41 -0500
Subject: Re: WG Last Call: SHA-224
On Sun, Mar 28, 2004 at 10:52:58AM -0800, Paul Hoffman / IMC wrote:
>
> bandwidth-restricted environments where an extra 32 bytes is
> important. None of the documents above discuss any such environments.
32 *bits* you mean. That would have to be one awfully bandwidth-restricted
system, and in any case it's rare (that I've seen) that a hash is sent
directly, either it's used with HMAC (in which case one can use SHA-* and
safely truncate to 96-128 bits regardless of the hash size), or it's used with
a sig, in which case it doesn't matter anyway (an RSA sig with SHA-224 is just
as big as one with SHA-256 or SHA-512 or whatever). In particular the three
drafts being held up by the SHA-224 draft all seem to be for PK, where the
smaller size doesn't offer anything except for possibly reducing the strength
of the signature/encryption.
-Jack
----- End forwarded message -----
Attachment:
pgp00000.pgp
Description: PGP signature