[Standards] SHA-1

Florian Schmaus flo at geekplace.eu
Thu Feb 23 20:57:47 UTC 2017


On 23.02.2017 18:19, Dave Cridland wrote:
> On 23 February 2017 at 16:53, Florian Schmaus <flo at geekplace.eu> wrote:
>> On 23.02.2017 15:36, Florian Schmaus wrote:
>>> On 23.02.2017 15:19, Peter Waher wrote:
>>>> Hello all.
>>>>
>>>>
>>>> SHA-1 is used in many places throughout XMPP. Examples include
>>>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
>>>> (XEP-0115), for instance. Concerning the recent report about
>>>> vulnerabilities found in SHA-1, should there be an effort to upgrade all
>>>> these to SHA-256 or later?
>>>
>>> But it may be sensible to change the mandatory hash algorithm of
>>> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
>>> could also fix the existing flaws of XEP-0115 like [1], because this
>>> would require a namespace bump anyway.
>>
>> Correction. After having another look at XEP-0115, I don't think a
>> namespace bump is required. Implementations may simply add (another)
>> <c/> with hash='sha-256'. I do wonder if we shouldn't simply update the
>> examples in XEP-0115 so that they say "hash='sha-256'".
> 
> No namespace bump, true, but it's still a compatibility break.

Is it a compatibility break? Implementations could send both, i.e., <c
hash='sha1'/> and <c hash='sha-256'/> for a while and process the "best"
<c/> when receiving.

- Florian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 610 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170223/0ce1fcb5/attachment-0001.sig>


More information about the Standards mailing list