-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 /me dons "XMPP Expert" Hat
There is some desire to use SHA2 but no strong requirement. As far as algorithm requirements go, look to [XMPP-TLS], [XEP-0300], and [XEP-0320] for the results of the community's more current discussions. - -- - - m&m Matt Miller < [email protected] > Cisco Systems, Inc. [XMPP-TLS] Use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP) < http://tools.ietf.org/html/draft-ietf-uta-xmpp-00 > [XEP-0300] Use of Cryptographic Hash Functions in XMPP < http://xmpp.org/extensions/xep-0300.html > [XEP-0320] Use of DTLS-SRTP in Jingle Sessions < http://xmpp.org/extensions/xep-0320.html > On 5/27/14, 8:42 AM, Kathleen Moriarty wrote: > The reviews got a little confused with the responses for SHA1 and > SHA2 thumbprints. A couple of people responded supporting Mike's > assertion, but I have had others tell me directly, SHA2 would be > good. > > Is there a need to support this for the XMPP community, since they > set to SHA256 as a default for certificate fingerprints: > http://xmpp.org/extensions/xep-0189.html > > Thanks, Kathleen > > On Wed, May 21, 2014 at 9:51 PM, Nat Sakimura <[email protected]> > wrote: >> ditto here. >> >> The primary reason for having thumbprint was for finding keys in >> the Windows crypto API. Security property must not depend on it. >> If it wants to deal with authentication, it should use the keys, >> IMHO. >> >> >> 2014-05-22 3:10 GMT+09:00 John Bradley <[email protected]>: >>> >>> I agree with Mike, many key stores use SHA1 thumbprints. I >>> don't know of any security consideration that makes SHA2 >>> thumbprints better in any practical way. >>> >>> I don't think that adding SHA 2 thumbprints is something that >>> we need to do now. >>> >>> John B. >>> >>> On May 1, 2014, at 1:46 PM, Kathleen Moriarty >>> <[email protected]> wrote: >>> >>>>> >>>>> Mike> Per your JWS comment, SHA-1 thumbprints are widely >>>>> deployed. I’m aware of no SHA-256 certificate thumbprint >>>>> deployments. I’ll note that even if SHA-1 were completely >>>>> broken, that wouldn’t be a security issue because it’s just >>>>> being used to generate a digest of publicly available >>>>> certificate information. It’s not being used to >>>>> cryptographically obscure anything. (But that’s actually a >>>>> discussion for another draft. J) >>>>> >>>> >>>> This is in place for the XML equivalents and should be >>>> possible for JSON. I used this at least 2 years ago in the >>>> XML Oxygen editor. I believe this has been brought up before >>>> in terms of JSON, so I am not the first. But it is another >>>> draft... I'd like to get through these all soon :-) >>> >>> >>> _______________________________________________ jose mailing >>> list [email protected] https://www.ietf.org/mailman/listinfo/jose >>> >> >> >> >> -- Nat Sakimura (=nat) Chairman, OpenID Foundation >> http://nat.sakimura.org/ @_nat_en > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJThKiWAAoJEDWi+S0W7cO1RT0H/115y7u4qLZbWNTC23/dZhNa cvH47z2l+cL5KEEKLCFlx3NNgDFYZMabZc9NfTnHYxs0oRw8HQ48B5UubDp/wOgL E35wM4k7+Qsdl+UuiQR86Xu6JRc/9NW8ov4dTSk80TN64AltEtvjyFCO1cN9Zs89 6x/LBtgxrvjhsze4R+LnwWnm/+lXswME01wK8mZTCl0tY753Ca8FtRoAeLb51f4S YwGolRZ8bSRv5waZhupxV/crMeWUFbEsSKQePqrnH7R0O6EzKEI8qZuYc1BsoQ1a EyhHkeElAmJ71qfvBRzLMM6xTA+AGGVtmQG5msm2ETyTiJ4b1ASfG5EHXU1KYVE= =bDGF -----END PGP SIGNATURE----- _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
