flo at geekplace.eu
Thu Feb 23 16:53:04 UTC 2017
On 23.02.2017 15:36, Florian Schmaus wrote:
> On 23.02.2017 15:19, Peter Waher wrote:
>> Hello all.
>> SHA-1 is used in many places throughout XMPP. Examples include
>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
>> (XEP-0115), for instance. Concerning the recent report about
>> vulnerabilities found in SHA-1, should there be an effort to upgrade all
>> these to SHA-256 or later?
> But it may be sensible to change the mandatory hash algorithm of
> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
> could also fix the existing flaws of XEP-0115 like , because this
> would require a namespace bump anyway.
Correction. After having anther look at XEP-0115, I don't think a
namespace bump is required. Implementations may simply add (another)
<c/> with hash='sha-256'. I do wonder if we shouldn't simply update the
examples in XEP-0115 so that they say "hash='sha-256'".
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 610 bytes
Desc: OpenPGP digital signature
More information about the Standards