ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Which algorithm to recommend for <checksum>?
Date Wed, 16 Feb 2005 09:40:59 GMT
Hi all,

MD5 has been broken about half a year ago and now it seems as if SHA-1
was gone as well[1].

JDK 1.2 and 1.3[2] only list MD2 as alternatives while JDK 1.4 adds[3]
SHA-256, SHA-384, and SHA-512.

MD2 doesn't look better than MD5 and the longer SHA variants aren't
available on older JDKs.

To me it almost looks as if we should recommend to not use <checksum>
for any security related stuff at all, but rely on PGP and similar
measures.  In particular we probably shouldn't create MD5 checksums
for the next Ant release since they've become useless and people need
to go the PGP route more than ever to really trust our downloads.

Stefan

Footnotes: 
[1]  http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

[2]  http://java.sun.com/j2se/1.3/docs/guide/security/CryptoSpec.html#AppA

[3]  http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA

[4]  http://en.wikipedia.org/wiki/MD2#Security


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message