[Standards] SHA-1

Florian Schmaus flo at geekplace.eu
Thu Feb 23 20:59:51 UTC 2017


On 23.02.2017 20:45, Jonas Wielicki wrote:
> On Donnerstag, 23. Februar 2017 17:19:13 CET Dave Cridland wrote:
>> On 23 February 2017 at 16:53, Florian Schmaus <flo at geekplace.eu> wrote:
>>> On 23.02.2017 15:36, Florian Schmaus wrote:
>>>> On 23.02.2017 15:19, Peter Waher wrote:
>>>>> Hello all.
>>>>>
>>>>>
>>>>> SHA-1 is used in many places throughout XMPP. Examples include
>>>>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities
>>>>> (XEP-0115), for instance. Concerning the recent report about
>>>>> vulnerabilities found in SHA-1, should there be an effort to upgrade all
>>>>> these to SHA-256 or later?
>>>>
>>>> But it may be sensible to change the mandatory hash algorithm of
>>>> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we
>>>> could also fix the existing flaws of XEP-0115 like [1], because this
>>>> would require a namespace bump anyway.
>>>
>>> Correction. After having anther look at XEP-0115, I don't think a
>>> namespace bump is required. Implementations may simply add (another)
>>> <c/> with hash='sha-256'. I do wonder if we shouldn't simply update the
>>> examples in XEP-0115 so that they say "hash='sha-256'".
> 
>> No namespace bump, true, but it's still a compatibility break.
> 
>> So we may as well consider an update if there's benefit.
> 
> Yes please. I had thought about the issue with the hashing in XEP-0115 a few 
> months ago already.
> 
> I would be happy to propose a specific wording (in form of a github pull 
> request/diff) for the algorithm which is more clearly specified and avoids the 
> collisions one might be able to produce currently.

I'd ask council if they would accept a major revision of XEP-0115 before
putting much effort into it. I'd personally like the idea and would
support you. But someone needs to volunteer to be the driving force
behind it.

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 610 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20170223/1acc939f/attachment.sig>


More information about the Standards mailing list