On Sun, Jul 28, 2024, 08:42 Rowan Tommins [IMSoP] <imsop....@rwec.co.uk> wrote:
> > > On 27 July 2024 23:14:32 BST, Morgan <weedpac...@varteg.nz> wrote: > > >Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functions > for both, and then when SHA4 comes along (as it inevitably will) another > standalone function for one of its variants? > > You tell me. As I have repeatedly said, I don't actually know anything > about these algorithms. SHA-256 is the only one on the list which I've > heard of, and I'm aware it's newer than SHA-1. I don't know why SHA-512 > isn't "better", I don't know why nobody talks about SHA-3, and I don't know > if one of the others in the list is absolutely amazing and should be > everyone's default forever. > > As far as I can see, nobody, in this whole discussion, has actually > stepped up and explained what users should be using, once we have taught > them that MD5 and SHA-1 are bad. > > > >Or leave them them the 60-piece set (which includes flat-head and > Phillips screwdrivers, so they're not being taken away), and write some > tips on how to use it correctly. > > So go ahead and write those tips. You don't need an RFC vote to improve > the documentation. > > > Here is my offer to those arguing in favour of this deprecation: If you > show me a draft of a comprehensive improvement to the manual to explain how > users should be choosing a hashing algorithm, I will consider changing my > vote. > > I am also happy to help with proofreading, and working out how to format > it into DocBook that fits nicely in the manual. > > As long as the deprecation rests on "somebody in the next 10 years might > get round to improving the manual", my vote remains a firm No. > > > Regards, > Rowan Tommins > [IMSoP] > I have voted yes only because I thought it's about removing inconsistent function alias. I can't see anything wrong with this hashing algorithms and I don't consider them unsafe. However, as someone pointed out this doesn't seem to be correct as the crc32 function isn't part of the depreciation proposal. I am confused now as to why we are trying to deprecate these functions at all. If it's about people confusing the hashing algorithms with password key stretching algorithms then that's not a valid reason. A red warning in the documentation should aid people in clearing this confusion. >
