ditto here. The primary reason for having thumbprint was for finding keys in the Windows crypto API. Security property must not depend on it. If it wants to deal with authentication, it should use the keys, IMHO.
2014-05-22 3:10 GMT+09:00 John Bradley <ve7...@ve7jtb.com>: > I agree with Mike, many key stores use SHA1 thumbprints. I don't know of > any security consideration that makes SHA2 thumbprints better in any > practical way. > > I don't think that adding SHA 2 thumbprints is something that we need to > do now. > > John B. > > On May 1, 2014, at 1:46 PM, Kathleen Moriarty < > kathleen.moriarty.i...@gmail.com> wrote: > > >> > >> Mike> Per your JWS comment, SHA-1 thumbprints are widely deployed. I’m > >> aware of no SHA-256 certificate thumbprint deployments. I’ll note that > even > >> if SHA-1 were completely broken, that wouldn’t be a security issue > because > >> it’s just being used to generate a digest of publicly available > certificate > >> information. It’s not being used to cryptographically obscure anything. > >> (But that’s actually a discussion for another draft. J) > >> > > > > This is in place for the XML equivalents and should be possible for > > JSON. I used this at least 2 years ago in the XML Oxygen editor. I > > believe this has been brought up before in terms of JSON, so I am not > > the first. But it is another draft... I'd like to get through these > > all soon :-) > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
