> On Sun, Feb 27, 2005 at 02:16:27AM -0000, daviddhall@... wrote:
> > So, the only potential for harm is if you are wanting to download a
> > file from an untrusted source, but you think the file is trustworthy
> > based on some sort of md5 backtracking to a trusted site. (This of
> > course is all in theory since none of this is working). So you
> > download the file... you then have to run a md5 sum of the file to
> > ensure it matches the md5 published by the trusted site. Here's where
> > the potential for harm occurs. You think it's ok because the md5 was
> > blessed by the trusted site.
> > I just wonder if this is really something to be concerned about. I go
> > back and forth because I see the beauty of keeping the same hash
> > algo.
It's unlikely that the apps you're thinking of need anything but MD5, but
there are plenty of other apps that would need a reliable hash, so the
best reason to allow other hash algos is that you want the spec to be
useful for applications aside from Yahoo's.