Possible Duplicate:
What is SHA-3 and why did we change it?
SHA-3 has been finalized! So, what does secuirty.se think about the new hash funciton? Should we start replacing all uses of md5/sha1/sha2 with Keccak? Is it too soon? Or do you think that the NIST process is rigorous enough.
First, there is no "real SHA-3" yet. In a few months, NIST will publish a specification which will define unambiguously what SHA-3 is. Unless there is a big blunder somewhere, we can predict that SHA-3 will be bit-to-bit compatible with the specification of Keccak as submitted for round 3 of the competition.
Then there is no reason to replace SHA-2 with (future-)SHA-3: neither scientifically (SHA-2 is not broken, far from it; and, for performance, Keccak is not terribly better than SHA-2, and often worse, depending on the architecture), nor administratively (the NIST people themselves posit that there is no need to replace SHA-2 with SHA-3).
There are reasons to replace MD5 and SHA-1 with SHA-2 (or SHA-3 in the future) but these reasons were already valid last week and you should already be doing it.
Algorithm agility is an important quality of protocols -- but that's a question of protocol design. People who are qualified to design security protocols already know it, and the other should refrain from designing protocols.
Hash functions are fairly new, and we are still discovering new cryptanalysis attacks against them. SHA-3 looks useful, so I disagree with Schneier's comments about a no-award. However, we should plan on having a SHA-4 competition in the near future. Being able to change what hash function that you rely upon is a useful feature. SSL/TLS is a good example of this.
