Re: md5 hashes used in security announcements

To: Bas Steendijk <beware@bircd.org>
Cc: debian-security@lists.debian.org
Subject: Re: md5 hashes used in security announcements
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 24 Oct 2008 18:14:10 +0200
Message-id: <[🔎] 874p327yy5.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 4901CC1A.5040809@bircd.org> (Bas Steendijk's message of "Fri, 24 Oct 2008 15:22:34 +0200")
References: <[🔎] 4901CC1A.5040809@bircd.org>

* Bas Steendijk:

> i have sent an email a while ago about the security implications of
> using MD5 hashes in the security announcements (DSA), but i didn't get
> any reply at all from this. has it been overlooked?

I don't know to which address you sent the address, so I don't know if
it's been overlooked.

My general take on this issue is that for this particular purpose, we
will stop using MD5 when someone comes up with an actual collision for a
hash published in a DSA.  It's not that these hashes are used for
automated processing.  We can't do anything about the old DSAs
containing MD5 hashes anyway.

Reply to:

Follow-Ups:
- Re: md5 hashes used in security announcements
  - From: Cyril Brulebois <kibi@debian.org>
- Re: md5 hashes used in security announcements
  - From: Bas Steendijk <beware@bircd.org>

References:
- md5 hashes used in security announcements
  - From: Bas Steendijk <beware@bircd.org>

Prev by Date: Re: md5 hashes used in security announcements
Next by Date: Re: md5 hashes used in security announcements
Previous by thread: Re: md5 hashes used in security announcements
Next by thread: Re: md5 hashes used in security announcements
Index(es):
- Date
- Thread