Eric Rescorla wrote: > > Marsh Ray wrote: > > > > I think he's arguing that anything cut down to 96 bits represents a lousy > > hash function allowing practical collisions on today's hardware. > > Perhaps, but this isn't a digest but rather a MAC, and so the attack > model is different. You seem to be forgetting that the finished messages have been reused for other purposes already: RFC-5929 TLS Channel Bindings RFC-5746 TLS extension Renegotiation indication I'm sorry, but I think it is a bad idea to use a flawed design for the TLS finished message by subverting the collision resistence of stronger secure hash functions that are used for the PRF. -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf