Bug 103462 - SHA1 instead of MD5
Summary: SHA1 instead of MD5
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution   
(Show other bugs)
Version: 1
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Mark J. Cox
QA Contact: Mike McLean
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-08-31 10:57 UTC by Petri T. Koistinen
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-09-01 09:16:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Petri T. Koistinen 2003-08-31 10:57:51 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030827 Galeon/1.3.7
Debian/1.3.7.20030825-3

Description of problem:
I think Red Hat should move from RSA Data Security, Inc. propietary MD5 algoritm
to more secure SHA1.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:

    

Additional info:

US Secure Hash Algorithm 1 (SHA1):
http://www.ietf.org/rfc/rfc3174.txt

SECURE HASH STANDARD:
http://www.itl.nist.gov/fipspubs/fip180-1.htm

Comment 1 Bill Nottingham 2003-09-01 01:47:03 UTC
Move to it where, in what context?

Comment 2 Mike A. Harris 2003-09-01 03:16:39 UTC
As I told you in IRC, MD5 is not proprietary.

http://dictionary.reference.com/search?q=proprietary

pro·pri·e·tar·y   Audio pronunciation of proprietary ( P )  Pronunciation Key 
(pr-pr-tr)
adj.

   1. Of, relating to, or suggestive of a proprietor or to proprietors as a
group: had proprietary rights; behaved with a proprietary air in his friend's house.
   2. Exclusively owned; private: a proprietary hospital.
   3. Owned by a private individual or corporation under a trademark or patent:
a proprietary drug.

The RFC:
http://asg.web.cmu.edu/rfc/rfc1321.html

The unofficial homepage, with legal disclaimer and license terms:
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

I'm not quite sure what you think is proprietary about MD5.

Comment 3 Petri T. Koistinen 2003-09-01 05:11:34 UTC
Ok, let's refrase: SHA1 hash is longer, so it's more secure. Please, consider
starting using it in place of MD5 when possible. Like in security announcements.

Comment 4 Mark J. Cox 2003-09-01 09:16:09 UTC
All the packages distributed by Red Hat as part of our advisories are signed
with the Red Hat package signing key.  Checking this signature is done
automatically for people using our update tools, and we do encourage users to
manually check it if downloading for themselves.  This reduces the need for us
to list individual checksums.  

If the MD5 sums in our advisories were the sole mechanism for our users to check
the packages they were downloading then we'd be more likely to move to SHA1.  

I believe that MD5 sums are fit for the purpose that we use them for, so moving
to deferred; we'll look at this again if any of the conditions change.


Note You need to log in before you can comment on or make changes to this bug.