Author sbt
Recipients christian.heimes, dmalcolm, sbt
Date 2013-02-20.21:16:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Banning md5 as a matter of policy may be perfectly sensible.

However, I think the way multiprocessing uses hmac authentication is *not* affected by the collision attacks the advisory talks about.  These depend on the attacker being able to determine for himself whether a particular candidate string is a "solution".

But with the way multiprocessing uses hmac authentication there is no way for the attacker to check for himself whether a candidate string has the desired hash: he does not know what the desired hash value is, or even what the hash function is.  (The effective hash function, though built on top of md5, depends on the secret key.)
Date User Action Args
2013-02-20 21:16:03sbtsetrecipients: + sbt, christian.heimes, dmalcolm
2013-02-20 21:16:03sbtsetmessageid: <>
2013-02-20 21:16:03sbtlinkissue17258 messages
2013-02-20 21:16:03sbtcreate