The reviews got a little confused with the responses for SHA1 and SHA2 thumbprints. A couple of people responded supporting Mike's assertion, but I have had others tell me directly, SHA2 would be good.
Is there a need to support this for the XMPP community, since they set to SHA256 as a default for certificate fingerprints: http://xmpp.org/extensions/xep-0189.html Thanks, Kathleen On Wed, May 21, 2014 at 9:51 PM, Nat Sakimura <[email protected]> wrote: > ditto here. > > The primary reason for having thumbprint was for finding keys in the Windows > crypto API. > Security property must not depend on it. If it wants to deal with > authentication, it should use the keys, IMHO. > > > 2014-05-22 3:10 GMT+09:00 John Bradley <[email protected]>: >> >> I agree with Mike, many key stores use SHA1 thumbprints. I don't know of >> any security consideration that makes SHA2 thumbprints better in any >> practical way. >> >> I don't think that adding SHA 2 thumbprints is something that we need to >> do now. >> >> John B. >> >> On May 1, 2014, at 1:46 PM, Kathleen Moriarty >> <[email protected]> wrote: >> >> >> >> >> Mike> Per your JWS comment, SHA-1 thumbprints are widely deployed. I’m >> >> aware of no SHA-256 certificate thumbprint deployments. I’ll note that >> >> even >> >> if SHA-1 were completely broken, that wouldn’t be a security issue >> >> because >> >> it’s just being used to generate a digest of publicly available >> >> certificate >> >> information. It’s not being used to cryptographically obscure >> >> anything. >> >> (But that’s actually a discussion for another draft. J) >> >> >> > >> > This is in place for the XML equivalents and should be possible for >> > JSON. I used this at least 2 years ago in the XML Oxygen editor. I >> > believe this has been brought up before in terms of JSON, so I am not >> > the first. But it is another draft... I'd like to get through these >> > all soon :-) >> >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose >> > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en -- Best regards, Kathleen _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
