[Standards] [Fwd: [Council] meeting minutes, 2007-11-21]
hildjj at gmail.com
Thu Nov 22 00:04:29 UTC 2007
Fine. Let's use SHA-256 then, as long as you explain to the Navy guys
why every presence change is 16 bytes bigger. I don't care what the
algorithm is. Let's just pick one and stick with it.
As an aside (not meant to derail the process, because, again, I don't
care what the algorithm is), I don't agree that SHA-1 is unsound for
this use. It would mean that someone was able to pick plaintext that
had a given hash, but still made sense as valid XML. The chances of
that still seem... remote.
On Nov 21, 2007, at 4:34 PM, Boyd Fletcher wrote:
> SHA-1 is no longer cryptographically sound. We should be using the
> class of hashes and probably set SHA-256 as the minimum.
> On 11/21/07 6:22 PM, "Joe Hildebrand" <hildjj at gmail.com> wrote:
>> On Nov 21, 2007, at 1:12 PM, Peter Saint-Andre wrote:
>>>> 14. XEP-0115: Entity Capabilities
>>>> Dave objected to removal of hash attribute and hardcoding to SHA-1,
>>>> since that is not future-proof. Peter agreed that this needs to be
>> Are we realistically *ever* going to define a new hash algorithm?
>> Imagine the breakage that would ensue.
>> This reminds me, though, that if we don't specify hash, the v
>> attribute cannot be optional for new caps; otherwise receivers won't
>> know whether this is an old or new caps declaration.
>> Joe Hildebrand
More information about the Standards