On Thursday, January 19, 2012 04:47:00 PM Murray S. Kucherawy wrote: > > So could someone explain why choosing HMAC is any more silly than doing > > the hash? > > It's not more silly. The point is that H is good enough to achieve the > above goals. If there's a scale from 0 to N where the goal is achieved at, > say, 5, H gets us to 5 while HMAC gets us to 10000. It just seems like > overkill, especially since mounting an attack against H is probably more > expensive than just log trolling. > > Or why there is any objection to doing HMAC (since it isn't > > hard to do)? > > I don't recall any objection beyond the above.
My objection is it's overkill. Over specifying because someone is afraid that someday someone may point to this as an example to be insecure when it does matter is a silly reason. Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
