[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] SHA- collision found
|
From: |
grarpamp |
|
Subject: |
Re: [Monotone-devel] SHA- collision found |
|
Date: |
Fri, 24 Feb 2017 13:32:00 -0500 |
On 2/24/17, Lapo Luchini <address@hidden> wrote:
> What's nice is that the attack vectors can be detected and a "hardened"
> version of SHA-1 that returns the same value in "normal" cases and
> different-but-secure values on attack vectors can be substituted.
Repos should address keeping / 'fixing' broken sha-1 as needed.
They also really need to create new native modes so users can
initialize and use repos with (sha-3 / sha-256 / whatever) going forward.
Backward compatibility with sha-1 or 'fixed sha-1' will be good. Clients
can taste repos for which hash mode to use, or add it to their configs.
Make things flexible, modular, configurable, updateable.
I don't see much point in 'fixing / caveating' their use of broken sha-1,
without also doing (sha-3 / optionals) in the first place, defaulting
new init's to whichever strong hash looks good, and letting natural
migration to that happen on its own through the default process.