[Standards] [Fwd: [Council] meeting minutes, 2007-11-21]

Lauri Kaila lauri.kaila at gmail.com
Thu Nov 22 10:38:43 UTC 2007


2007/11/22, Boyd Fletcher <boyd.fletcher at je.jfcom.mil>:
>
>  SHA-1 is no longer cryptographically sound. We should be using the SHA-2
> class of hashes and probably set SHA-256 as the minimum.

What kind of attacks are based on this weakness in XEP-0115? I can
only think of DOS by lying capabilities (when the hash of a liar's
capabilities collides with someone's real caps). I'd think disabling
XEP-0115 is the cure to recover and prevent happening again.

Anyway, one might expect a replacement for SHA-1 to exist in 2011, as
I read from http://www.schneier.com/blog/archives/2007/02/a_new_secure_ha.html

-lauri



More information about the Standards mailing list