Matt, Do people want a explicit way to send a SHA256 hash of a DER encoded cert in JWS/JWE?
The XMPP spec being pointed tp is talking about a print or keyprint that is a SHA256 of the XML character data of the <key/> element. The key element seems to be a XML encoded Modulus, Exponent and other stuff. Is this part of the XMPP spec stable enough to have its quite custom notion of encoded public keys included in JOSE. I would personally like to see the XMPP spec create the element and register it, similarly to the way we did it for JWKS thumbprint. https://self-issued.info/docs/draft-jones-jose-jwk-thumbprint-00.html If it were just using SHA256 vs SHA1 that might be a different case, but it seems that what is being hashed is quite different from the current thumbprint. John B. On May 27, 2014, at 11:00 AM, Matt Miller <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > /me dons "XMPP Expert" Hat > > There is some desire to use SHA2 but no strong requirement. As far as > algorithm requirements go, look to [XMPP-TLS], [XEP-0300], and > [XEP-0320] for the results of the community's more current discussions. > > > - -- > - - m&m > > Matt Miller < [email protected] > > Cisco Systems, Inc. > > [XMPP-TLS] Use of Transport Layer Security (TLS) in the Extensible > Messaging and Presence Protocol (XMPP) < > http://tools.ietf.org/html/draft-ietf-uta-xmpp-00 > > [XEP-0300] Use of Cryptographic Hash Functions in XMPP < > http://xmpp.org/extensions/xep-0300.html > > [XEP-0320] Use of DTLS-SRTP in Jingle Sessions < > http://xmpp.org/extensions/xep-0320.html > > > On 5/27/14, 8:42 AM, Kathleen Moriarty wrote: >> The reviews got a little confused with the responses for SHA1 and >> SHA2 thumbprints. A couple of people responded supporting Mike's >> assertion, but I have had others tell me directly, SHA2 would be >> good. >> >> Is there a need to support this for the XMPP community, since they >> set to SHA256 as a default for certificate fingerprints: >> http://xmpp.org/extensions/xep-0189.html >> >> Thanks, Kathleen >> >> On Wed, May 21, 2014 at 9:51 PM, Nat Sakimura <[email protected]> >> wrote: >>> ditto here. >>> >>> The primary reason for having thumbprint was for finding keys in >>> the Windows crypto API. Security property must not depend on it. >>> If it wants to deal with authentication, it should use the keys, >>> IMHO. >>> >>> >>> 2014-05-22 3:10 GMT+09:00 John Bradley <[email protected]>: >>>> >>>> I agree with Mike, many key stores use SHA1 thumbprints. I >>>> don't know of any security consideration that makes SHA2 >>>> thumbprints better in any practical way. >>>> >>>> I don't think that adding SHA 2 thumbprints is something that >>>> we need to do now. >>>> >>>> John B. >>>> >>>> On May 1, 2014, at 1:46 PM, Kathleen Moriarty >>>> <[email protected]> wrote: >>>> >>>>>> >>>>>> Mike> Per your JWS comment, SHA-1 thumbprints are widely >>>>>> deployed. I’m aware of no SHA-256 certificate thumbprint >>>>>> deployments. I’ll note that even if SHA-1 were completely >>>>>> broken, that wouldn’t be a security issue because it’s just >>>>>> being used to generate a digest of publicly available >>>>>> certificate information. It’s not being used to >>>>>> cryptographically obscure anything. (But that’s actually a >>>>>> discussion for another draft. J) >>>>>> >>>>> >>>>> This is in place for the XML equivalents and should be >>>>> possible for JSON. I used this at least 2 years ago in the >>>>> XML Oxygen editor. I believe this has been brought up before >>>>> in terms of JSON, so I am not the first. But it is another >>>>> draft... I'd like to get through these all soon :-) >>>> >>>> >>>> _______________________________________________ jose mailing >>>> list [email protected] https://www.ietf.org/mailman/listinfo/jose >>>> >>> >>> >>> >>> -- Nat Sakimura (=nat) Chairman, OpenID Foundation >>> http://nat.sakimura.org/ @_nat_en >> >> >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > Comment: GPGTools - https://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJThKiWAAoJEDWi+S0W7cO1RT0H/115y7u4qLZbWNTC23/dZhNa > cvH47z2l+cL5KEEKLCFlx3NNgDFYZMabZc9NfTnHYxs0oRw8HQ48B5UubDp/wOgL > E35wM4k7+Qsdl+UuiQR86Xu6JRc/9NW8ov4dTSk80TN64AltEtvjyFCO1cN9Zs89 > 6x/LBtgxrvjhsze4R+LnwWnm/+lXswME01wK8mZTCl0tY753Ca8FtRoAeLb51f4S > YwGolRZ8bSRv5waZhupxV/crMeWUFbEsSKQePqrnH7R0O6EzKEI8qZuYc1BsoQ1a > EyhHkeElAmJ71qfvBRzLMM6xTA+AGGVtmQG5msm2ETyTiJ4b1ASfG5EHXU1KYVE= > =bDGF > -----END PGP SIGNATURE----- > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
