On 12/8/06, Chris Hostetter <[EMAIL PROTECTED]> wrote:
: It _is_ a valid concern in general (I would never use md5 as a
: cryptographic hash, e.g., for passwords), but significantly less of a
: concern for this use. The most important role of the hash is to
: ensure no corruption occurred during transfer.
Bingo: We checksum the files with MD5, we sign the files with GPG
And the standard digital signature content hash is defined to be SHA-1
AFAIK. And yes, someone has managed to find a way to get collisions
in SHA1 hashes in less time than it would take to purely guess at
random. But let's be serious... for our projects it's going to be far
easier and cheaper to circumvent the encryption than break it.
When PGP/GPG switch to a different mechanism by default, so will we.
-Yonik
