Wouter Verhelst <wou...@debian.org> writes: > Uhh? AFAIK, RIPEMD160 is not compromised at all, not even in a > theoretical attack. Why was this part of the decision taken?
> (there is a theoretical attack against RIPEMD, but that is not the same > thing as RIPEMD160) Crypto folks have been dubious about RIPEMD160 for a while for new applications, just because it's pretty old and doesn't have some of the nice properties of modern hashes. It's more proactive than SHA-1 to drop it, but I support dropping it just as a precautionary measure. There isn't a good reason to keep using it so far as I know. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
