[Standards] SHA-1

Dave Cridland dave at cridland.net
Thu Feb 23 17:19:13 UTC 2017


On 23 February 2017 at 16:53, Florian Schmaus <flo at geekplace.eu> wrote:
> On 23.02.2017 15:36, Florian Schmaus wrote:
>> On 23.02.2017 15:19, Peter Waher wrote:
>>> Hello all.
>>>
>>>
>>> SHA-1 is used in many places throughout XMPP. Examples include
>>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
>>> (XEP-0115), for instance. Concerning the recent report about
>>> vulnerabilities found in SHA-1, should there be an effort to upgrade all
>>> these to SHA-256 or later?
>>
>> But it may be sensible to change the mandatory hash algorithm of
>> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
>> could also fix the existing flaws of XEP-0115 like [1], because this
>> would require a namespace bump anyway.
>
> Correction. After having anther look at XEP-0115, I don't think a
> namespace bump is required. Implementations may simply add (another)
> <c/> with hash='sha-256'. I do wonder if we shouldn't simply update the
> examples in XEP-0115 so that they say "hash='sha-256'".

No namespace bump, true, but it's still a compatibility break.

So we may as well consider an update if there's benefit.

Dave.


More information about the Standards mailing list