On Fri, Mar 16, 2018 at 9:42 PM, Anders Rundgren < [email protected]> wrote:
> Scott A: > https://en.wikipedia.org/wiki/Security_level > "For example, SHA-256 offers 128-bit collision resistance" > That is, the claims that there are cryptographic issues w.r.t. to Unicode > Normalization are (fortunately) incorrect. > Well, if you actually do normalize Unicode, signatures would indeed break, > so you don't. > Where do you specify SHA-256 signatures in your standard? If one were to use MD5 signatures, they would indeed break in the way I describe. It is good security practice to assume that currently-unbroken algorithms may eventually break in similar ways to discovered flaws in older algorithms. But in any case, it is simply not good practice to allow multiple valid representations of content, if your aim is for a "canonical' representation. --scott
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
