[Standards] Hash algorithms (Bits of Binary / Jingle FT)
paul at darkrain42.org
Tue Jun 29 20:12:46 UTC 2010
A few comments about hash algorithms (basing off my reading the Jingle
FT spec  just now and a discussion the Pidgin devs had a few months
ago, which I don't think was brought up in the XMPP community, though I
might have missed it).
1) Are there canonical text representations of hash algorithm names some
place? i.e. other than it being the one described in the Bits of Binary
 spec, how do I know that I should use 'sha1' instead of 'sha-1'?
Even worse, I just checked Entity Capabilities  and it uses "sha-1"
as the name of the algorithm!!! :(
2) The Bits of Binary spec and Jingle FT spec don't mention MTI hash
algorithms, nor do they include security considerations; the text could
probably be lifted from 0115.
3) BoB specifies that "[a] recipient SHOULD cache data based on the hash
of the data as encapsulated in the cid.", but doesn't actually specify
validation or what a client should do when hash validation should fail.
I believe (Marcus, correct me if I'm wrong) that Pidgin now falls back
to caching based on (bare?) JID + hash if validation fails (or is
impossible), preventing poisoning of any blobs received from other clients.
4) I posted this to the Jingle list, but the Jingle FT spec defines a
'hash' attribute which is underspecified. The spec neither describes
how to generate it/what the receipient MAY do with it (yes, relatively
obvious), mentions that it's using SHA1, nor allows for future hash agility.
5) Should the XSF adopt hash-function recommendations and standards for
all future specs? I'm thinking standardized names (*cough* #1 *cough*)
as well as MTI recommendations (perhaps choosing SHA-256, as NIST
 Jingle File Transfer http://xmpp.org/extensions/xep-0234.html
 Entity Capabilities http://xmpp.org/extensions/xep-0115.html
 Bits of Binary http://xmpp.org/extensions/xep-0231.html
 NIST's Policy on Hash Functions
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 897 bytes
Desc: OpenPGP digital signature
More information about the Standards