josusky
commented
1 year ago @kaiwirt In general I agree. MD5? OMG.
I am not sure what is the difference between SHA-224 and SHA-512/224 but sure, we should add a few more algorithms including SHA3. There is support for it in common cryptographic libraries.
@tomkralidis any objections?
tomkralidis
I would suggest to follow the NIST recommendations for the allowed integrity methods.
See: https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions
Thus, we should select a set of functions from SHA-2 (i.e., SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256) SHA-3 (i.e., SHA3-224, SHA3-256, SHA3-384, SHA3-512)
and take into account that "NIST encourages application and protocol designers to implement SHA-256 at a minimum for any applications of hash functions requiring interoperability."
Given the current list in the message format specification my recommendation would be to
We also should define if the verification of the integrity value is a MUST (in which case the receiving end must support all integrity algorithms we choose) or is considered optional.