What you have in that case is a 128-bit prefix with, last I heard, less than 60 bits of security - due to md5 being so broken. Now the attacker can start the first round of sha1 with a massively reduced number of potential permutations. That isn't a problem for sha1 today, but if it is tomorrow - then you are much worse off then you would have been just feeding sha1 your plaintext. The benefit of the additional computational complexity is pretty small, and not worth the additional potential point of failure.
woodman|10 years ago