[Standards] XEP-0115 redux
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 10 10:32:13 CST 2008
Alexander Gnauck wrote:
> Joe Hildebrand schrieb:
>>> 3b. If we specify an MTI algorithm, do we specify MD5 or SHA-1 or
>>> something else?
>>
>> Frankly, I don't care. MD5 is smaller, and probably more secure, but
>> has marketing issues, particularly with a vocal minority on this
>> list. We all have SHA-1 implementations for other things.
>
> Maybe I misunderstood the new hash logic. Does it matter at all which
> hashing we use? I thought we use the resulting hash only for the disco
> cache and don't verify anything.
>
> Most client and library implementations have both hashing algorithms
> already implemented for SASL.
>
> > Flip a coin, for all I care.
>
> My coin has SHA-1 on both sides :). I prefer it because its used at many
> other places as well. But I'm also fine with MD-5. As i said before, I
> don't see the reason why the hash algorithm matters.
The hashing algorithm matters because when you send me caps, I need to
verify the contents (i.e., the long string of identity+features that you
used as input to the hash function). The spec says:
The requesting entity MUST check the identities and supported
features against the 'ver' value by calculating the hash as described
under Generation of the ver Attribute and making sure that the values
match.
This helps me be sure that you're not poisoning the caps ecosystem. But
if you used SHA-384 to generate the hash and I don't support that
algorithm, then I can't verify the contents.
Or so it seems to me. :)
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080110/1f5d68ec/attachment.bin
More information about the Standards
mailing list