APR 2.0.0 - deprecate MD4 at last?

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

MD4 was DOA when APR was created.

Can we please introduce SHA-2 and drop MD4 entirely in APR release 2.0.0?

If configuring for a FIPS ssl environment, we will also have to stub out MD5
entirely since it too is a prohibited algorithm.  But it's common enough
still today that I'm not in favor of dropping it from APR.  There are just
too many MD5 hashes our users still need to calculate.

Bill

Re: APR 2.0.0 - deprecate MD4 at last?

[Bojan Smojver <bo...@rexursive.com>]

On Wed, 2007-01-03 at 18:30 -0600, William A. Rowe, Jr. wrote:

> If configuring for a FIPS ssl environment, we will also have to stub out MD5
> entirely since it too is a prohibited algorithm.

Apparently, they claim it's still good for HMAC stuff.

-- 
Bojan

Re: APR 2.0.0 - deprecate MD4 at last?

["Roy T. Fielding" <ro...@gmail.com>]

On Jan 3, 2007, at 4:30 PM, William A. Rowe, Jr. wrote:

> MD4 was DOA when APR was created.

Only for cryptography.  There is nothing wrong with its use as a hash.
Rsync still uses it.

> Can we please introduce SHA-2 and drop MD4 entirely in APR release  
> 2.0.0?
>
> If configuring for a FIPS ssl environment, we will also have to  
> stub out MD5
> entirely since it too is a prohibited algorithm.  But it's common  
> enough
> still today that I'm not in favor of dropping it from APR.  There  
> are just
> too many MD5 hashes our users still need to calculate.

FIPS does not regulate what algorithms are implemented.  It might
regulate what algorithms are used for security-related purposes, but
that is not relevant to APR.

....Roy