Re: [TLS] SHA-1 vs. FNV-1

[Eric Rescorla <ekr@rtfm.com>]

On Sat, May 8, 2010 at 12:36 AM, Stefan Santesson <stefan@aaa-sec.com> wrote:
> Eric,
>
> Thanks for your input, but it would be great if you let us in on your long
> version instead of just stating your opinion.

I thought that was the long version: everyone already has SHA-1 in their
stacks. This is just added cruft. What more is there?


> You say:
>> In short, I prefer SHA-1 to FNV-1. FNV-1 introduces a new algorithm for no
>> reason other than people might be confused about what SHA-1 is doing
>> in this case. I realize it's simple but calling SHA-1 is even simpler.
>> We should just call SHA-1 with no agility.
>
> It was you who proposed the syntax that introduced agility for the hash
> algorithm (expanding my initial syntax with no agility):
>
> http://www.ietf.org/mail-archive/web/tls/current/msg03331.html

I'm sorry, I don't see the relevance here. I don't recall saying that we needed
agility in that meeting. However, people felt we did and I proposed syntax
that recognized that. The point of that
message was to support multiple types of cached info, not to support
multiple types of hashes. That's why it just supports the "minimal" level
of hash agility, i.e., leting the client tell the server what hash he used.

> At November IETF 2008 you made a presentation at Saag, recognizing "The Need
> for Cryptographically Insecure Hash Functions" for just the reasons that we
> see here.
>
> http://www.ietf.org/proceedings/73/slides/saag-0.pdf
>
> I thought that was a great presentation. What has changed your opinion since
> then?

I'm not sure my opinion has changed. But here we have a system chock
full of hash functions. One of those is entirely suitable. I don't see the
point in abandoning it for yet another function.

>
> Finally, taking your chair hat on, could you advice on how to proceed with
> this draft if the majority still prefers FNV?

I'll let Joe take that. That's why we have two chairs.

-Ekr