[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release file changes



On Mon, Feb 21, 2011 at 01:05:02PM -0500, Michael Gilbert wrote:
> What indications are there that SHA-512 is weak?

It might be worth approaching from a pragmatic perspective... why
generate SHA-512 checksums when you're only going to be signing a
SHA-256 digest of that list (that is unless you want to alienate
users of OpenPGP-compliant tools which don't implement optional
algorithms). Is it because you feel SHA-512 is more
tamper-resistant, or because you're worried that you might wind up
with two entries accidentally colliding over the same SHA-256 hash
(which is pretty unlikely statistically speaking, and even then may
not be particularly relevant depending on the use case for the
hashes).
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@yuggoth.org); FINGER(fungi@yuggoth.org);
MUD(kinrui@katarsis.mudpy.org:6669); IRC(fungi@irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }


Reply to: