[Standards] [Fwd: [Council] meeting minutes, 2007-11-21]

Joe Hildebrand hildjj at gmail.com
Thu Nov 22 00:04:29 UTC 2007


Fine.  Let's use SHA-256 then, as long as you explain to the Navy guys  
why every presence change is 16 bytes bigger.  I don't care what the  
algorithm is.  Let's just pick one and stick with it.

As an aside (not meant to derail the process, because, again, I don't  
care what the algorithm is), I don't agree that SHA-1 is unsound for  
this use.  It would mean that someone was able to pick plaintext that  
had a given hash, but still made sense as valid XML.  The chances of  
that still seem... remote.

On Nov 21, 2007, at 4:34 PM, Boyd Fletcher wrote:

> SHA-1 is no longer cryptographically sound. We should be using the  
> SHA-2
> class of hashes and probably set SHA-256 as the minimum.
>
>
> boyd
>
>
>
> On 11/21/07 6:22 PM, "Joe Hildebrand" <hildjj at gmail.com> wrote:
>
>> On Nov 21, 2007, at 1:12 PM, Peter Saint-Andre wrote:
>>>> 14. XEP-0115: Entity Capabilities
>>>>
>>>> Dave objected to removal of hash attribute and hardcoding to SHA-1,
>>>> since that is not future-proof. Peter agreed that this needs to be
>>>> included.
>>
>>
>> Are we realistically *ever* going to define a new hash algorithm?
>> Imagine the breakage that would ensue.
>>
>> This reminds me, though, that if we don't specify hash, the v
>> attribute cannot be optional for new caps; otherwise receivers won't
>> know whether this is an old or new caps declaration.
>>
>> --
>> Joe Hildebrand
>>
>>
>
>

-- 
Joe Hildebrand




More information about the Standards mailing list