hallam@w3.org writes:
A keyed version of MD5 is the base authentication mechanism in IPSP and it has been heavily examined by a number of very good cryptographers.
Yes we reviewed it and said that it sucked.
Phil wrote a note to Ron and Ron sent in a series of comments.
Phil was complaining largely because in spite of his apparent cryptography credentials he's a lughead who can't have been bothered to understand the architecture -- most of his comments reflected a general ignorance of the process and of the discussions that had preceeded. He also complained that the transforms weren't sufficiently generic for his tastes. However, no complaints AT ALL were made about Hugo's selection of cryptographic transform. We were assured by everyone that it was the right thing to do, with people swearing up and down that it was the appropriate idea. Do you want me to extract the mailing list archives? Every last posting on this topic is on line.
The sequence of events I heard was that they asked Burt Kaliski for a suggestion, he gave them one and they chose something different.
Actually, Kaliski made an off-the-cuff suggestion that all the other crypto folks ripped apart, largely because it was obvious even to me how it could be attacked, and then he backed off. Perry