On 30/07/2024 21:57, Tim Düsterhus wrote:
Let me attempt to give an explanation. As of today users should use in order of priority:
1. The hash function they need for interoperability: If a service provides a SHA-1 checksum, then there is no choice and SHA-1 needs to be used.
2. The hash function their security team requests them to use.
3. A function from the SHA-2 family, with SHA-256 being a good default choice, because that's the secure default choice across the industry.
Thanks, this is a good concise explanation, and exactly the kind of thing I think should be in the documentation *before* we start telling people they're "doing it wrong" by using md5() or sha1().
It also strengthens my conviction that we should add sha256() and sha256_file() as standalone functions: a "good default choice" is really all most users want or need. There seems to be no risk of us needing to add a new function every other year, or provide a dozen functions to cover different use cases.
Users in scenarios 1 or 2 will know what to look up in the hash_algos() list and pass to hash(). Users who have complex use cases like incremental hashing, or whatever hash_hkdf() does, can keep using the complex but flexible functions that provide those facilities.
Note that if SHA-256 ever stops being the recommendation, having a sha256() function will give us the same opportunity we have now with md5() and sha1(): to issue a message to users of the standalone function, but keep the algorithm fully available in hash().
Regards,
--
Rowan Tommins
[IMSoP]