I chose to hash in a similar situation. Basically I pass the entire
message through MD5 or another hash, then base64.
A proper hash (even
MD5) is indistinguishable from pure randomness if you have no knowledge
of the input, and hashing needs only the message. Random numbers
require a source of entropy, which every host should have but I was
less than confident that that was the case.
So I chose to
hash.
Hashing has its weaknesses. This approach makes the message-id
guessable to anyone who has the message content and other header
fields, for example. I thought that problem minor.
Arnt
