Thanks for the quick reply. Another argument would be for the ability to drop SHA1 support eventually. If you move to all SHA2, there is no need to support the SHA1 code anymore.
On Tue, May 27, 2014 at 11:00 AM, Matt Miller <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > /me dons "XMPP Expert" Hat > > There is some desire to use SHA2 but no strong requirement. As far as > algorithm requirements go, look to [XMPP-TLS], [XEP-0300], and > [XEP-0320] for the results of the community's more current discussions. > > > - -- > - - m&m > > Matt Miller < [email protected] > > Cisco Systems, Inc. > > [XMPP-TLS] Use of Transport Layer Security (TLS) in the Extensible > Messaging and Presence Protocol (XMPP) < > http://tools.ietf.org/html/draft-ietf-uta-xmpp-00 > > [XEP-0300] Use of Cryptographic Hash Functions in XMPP < > http://xmpp.org/extensions/xep-0300.html > > [XEP-0320] Use of DTLS-SRTP in Jingle Sessions < > http://xmpp.org/extensions/xep-0320.html > > > On 5/27/14, 8:42 AM, Kathleen Moriarty wrote: >> The reviews got a little confused with the responses for SHA1 and >> SHA2 thumbprints. A couple of people responded supporting Mike's >> assertion, but I have had others tell me directly, SHA2 would be >> good. >> >> Is there a need to support this for the XMPP community, since they >> set to SHA256 as a default for certificate fingerprints: >> http://xmpp.org/extensions/xep-0189.html >> >> Thanks, Kathleen >> >> On Wed, May 21, 2014 at 9:51 PM, Nat Sakimura <[email protected]> >> wrote: >>> ditto here. >>> >>> The primary reason for having thumbprint was for finding keys in >>> the Windows crypto API. Security property must not depend on it. >>> If it wants to deal with authentication, it should use the keys, >>> IMHO. >>> >>> >>> 2014-05-22 3:10 GMT+09:00 John Bradley <[email protected]>: >>>> >>>> I agree with Mike, many key stores use SHA1 thumbprints. I >>>> don't know of any security consideration that makes SHA2 >>>> thumbprints better in any practical way. >>>> >>>> I don't think that adding SHA 2 thumbprints is something that >>>> we need to do now. >>>> >>>> John B. >>>> >>>> On May 1, 2014, at 1:46 PM, Kathleen Moriarty >>>> <[email protected]> wrote: >>>> >>>>>> >>>>>> Mike> Per your JWS comment, SHA-1 thumbprints are widely >>>>>> deployed. I’m aware of no SHA-256 certificate thumbprint >>>>>> deployments. I’ll note that even if SHA-1 were completely >>>>>> broken, that wouldn’t be a security issue because it’s just >>>>>> being used to generate a digest of publicly available >>>>>> certificate information. It’s not being used to >>>>>> cryptographically obscure anything. (But that’s actually a >>>>>> discussion for another draft. J) >>>>>> >>>>> >>>>> This is in place for the XML equivalents and should be >>>>> possible for JSON. I used this at least 2 years ago in the >>>>> XML Oxygen editor. I believe this has been brought up before >>>>> in terms of JSON, so I am not the first. But it is another >>>>> draft... I'd like to get through these all soon :-) >>>> >>>> >>>> _______________________________________________ jose mailing >>>> list [email protected] https://www.ietf.org/mailman/listinfo/jose >>>> >>> >>> >>> >>> -- Nat Sakimura (=nat) Chairman, OpenID Foundation >>> http://nat.sakimura.org/ @_nat_en >> >> >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > Comment: GPGTools - https://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJThKiWAAoJEDWi+S0W7cO1RT0H/115y7u4qLZbWNTC23/dZhNa > cvH47z2l+cL5KEEKLCFlx3NNgDFYZMabZc9NfTnHYxs0oRw8HQ48B5UubDp/wOgL > E35wM4k7+Qsdl+UuiQR86Xu6JRc/9NW8ov4dTSk80TN64AltEtvjyFCO1cN9Zs89 > 6x/LBtgxrvjhsze4R+LnwWnm/+lXswME01wK8mZTCl0tY753Ca8FtRoAeLb51f4S > YwGolRZ8bSRv5waZhupxV/crMeWUFbEsSKQePqrnH7R0O6EzKEI8qZuYc1BsoQ1a > EyhHkeElAmJ71qfvBRzLMM6xTA+AGGVtmQG5msm2ETyTiJ4b1ASfG5EHXU1KYVE= > =bDGF > -----END PGP SIGNATURE----- -- Best regards, Kathleen _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
