On 23.02.2017 15:19, Peter Waher wrote: > Hello all. > > > SHA-1 is used in many places throughout XMPP. Examples include > authentication mechanisms (SCRAM-SHA-1) and entity capabilities > (XEP-0115), for instance. Concerning the recent report about > vulnerabilities found in SHA-1, should there be an effort to upgrade all > these to SHA-256 or later?
The examples you gave already come with built-in hash agility. For SCRAM there is RFC 7677, and XEP-0115 has the 'hash' attribute. But it may be sensible to change the mandatory hash algorithm of XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we could also fix the existing flaws of XEP-0115 like [1], because this would require a namespace bump anyway. I'm curious if we have protocols without hash agility. Those would be the ones who need the most attention. - Florian 1: http://markmail.org/message/mbkmaz52lgkeju6s#query:+page:1+mid:mbkmaz52lgkeju6s+state:results
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________