jonas at wielicki.name
Thu Feb 23 19:45:44 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
On Donnerstag, 23. Februar 2017 17:19:13 CET Dave Cridland wrote:
> On 23 February 2017 at 16:53, Florian Schmaus <flo at geekplace.eu> wrote:
> > On 23.02.2017 15:36, Florian Schmaus wrote:
> >> On 23.02.2017 15:19, Peter Waher wrote:
> >>> Hello all.
> >>> SHA-1 is used in many places throughout XMPP. Examples include
> >>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
> >>> (XEP-0115), for instance. Concerning the recent report about
> >>> vulnerabilities found in SHA-1, should there be an effort to upgrade all
> >>> these to SHA-256 or later?
> >> But it may be sensible to change the mandatory hash algorithm of
> >> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
> >> could also fix the existing flaws of XEP-0115 like , because this
> >> would require a namespace bump anyway.
> > Correction. After having anther look at XEP-0115, I don't think a
> > namespace bump is required. Implementations may simply add (another)
> > <c/> with hash='sha-256'. I do wonder if we shouldn't simply update the
> > examples in XEP-0115 so that they say "hash='sha-256'".
> No namespace bump, true, but it's still a compatibility break.
> So we may as well consider an update if there's benefit.
Yes please. I had thought about the issue with the hashing in XEP-0115 a few
months ago already.
I would be happy to propose a specific wording (in form of a github pull
request/diff) for the algorithm which is more clearly specified and avoids the
collisions one might be able to produce currently.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Standards