On Sep 14, 2015, at 11:53 PM, Stephan Beal <sgb...@googlemail.com> wrote: > > it is not possible to change the hash without a near-complete overhaul of > fossil (and its docs)
I’ve already addressed the documentation/UI issue repeatedly above: The fact that Fossil uses SHA-1 should be a hidden implementation detail, unimportant to anyone but those working on the lowest-level parts of Fossil. (Plus those working on compatible software such as libfossil and FUEL.) > Supporting two hash variants in one fossil binary would likely prove to be > problematic (and would require a major overhaul). Why can’t an artifact’s or checkin’s hash be tagged in MCF fashion, so that when Fossil checks the hashes, it knows which algorithm to use at each step? Many other systems support multiple encryption and digest algorithms, and many of those can switch mid-stream to a different algorithm. This is known tech. > Fossil does not use it in a cryptographic context That’s a true non sequitur. Fossil uses SHA-1 as a kind of message authentication, the very sort of thing that HTTPS certificates use it for. Therefore, either Fossil’s use of SHA-1 is not like HTTPS certs in some respect I do not understand, or Google is wrong to be trying to push the web world off SHA-1 authenticated HTTPS certs. > There are long threads somewhere in the list archives about the changes of > hash collision. Management summary: not likely to happen for many human > generations. If you mean posts like this one http://www.mail-archive.com/fossil-users%40lists.fossil-scm.org/msg05979.html then the prior discussion was all about accidental collision. I’m talking instead about motivated, well-trained, intelligent, well-funded attackers purposely attempting to engineer a collision. Not the same thing at all. If you were going to point me instead to a different thread with the value 2^80 or (heaven forfend, 2^160) in it anywhere, you’d be pointing to something almost certainly not written by a cryptographer. That complexity only applied when SHA-1 had no known weaknesses. The Chinese attack from 2005 reduces the attack complexity to about 2^69 operations. The Stevens attack from 2011 reduces the attack complexity even further, to between 2^60.3 and 2^65.3 operations. Add to that the improvement from Moore’s Law and you’re talking about 5 to 7 orders of magnitude improvement. Obviously the world’s HTTPS traffic is a far bigger target than public-facing Fossil repos, so Fossil’s urgency to get off SHA-1 should be lower. That said, attacks only get better, and Moore’s Law still has steam in it, at least for embarrassingly-parallel applications like hashing. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users