2007/11/22, Boyd Fletcher <[EMAIL PROTECTED]>: > > SHA-1 is no longer cryptographically sound. We should be using the SHA-2 > class of hashes and probably set SHA-256 as the minimum.
What kind of attacks are based on this weakness in XEP-0115? I can only think of DOS by lying capabilities (when the hash of a liar's capabilities collides with someone's real caps). I'd think disabling XEP-0115 is the cure to recover and prevent happening again. Anyway, one might expect a replacement for SHA-1 to exist in 2011, as I read from http://www.schneier.com/blog/archives/2007/02/a_new_secure_ha.html -lauri
