-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Donnerstag, 23. Februar 2017 17:19:13 CET Dave Cridland wrote: > On 23 February 2017 at 16:53, Florian Schmaus <f...@geekplace.eu> wrote: > > On 23.02.2017 15:36, Florian Schmaus wrote: > >> On 23.02.2017 15:19, Peter Waher wrote: > >>> Hello all. > >>> > >>> > >>> SHA-1 is used in many places throughout XMPP. Examples include > >>> authentication mechanisms (SCRAM-SHA-1) and entity capabilities > >>> (XEP-0115), for instance. Concerning the recent report about > >>> vulnerabilities found in SHA-1, should there be an effort to upgrade all > >>> these to SHA-256 or later? > >> > >> But it may be sensible to change the mandatory hash algorithm of > >> XEP-0155. And after we decided a successor of SHA-1 for XEP-0115 we > >> could also fix the existing flaws of XEP-0115 like [1], because this > >> would require a namespace bump anyway. > > > > Correction. After having anther look at XEP-0115, I don't think a > > namespace bump is required. Implementations may simply add (another) > > <c/> with hash='sha-256'. I do wonder if we shouldn't simply update the > > examples in XEP-0115 so that they say "hash='sha-256'". > > No namespace bump, true, but it's still a compatibility break. > > So we may as well consider an update if there's benefit.
Yes please. I had thought about the issue with the hashing in XEP-0115 a few months ago already. I would be happy to propose a specific wording (in form of a github pull request/diff) for the algorithm which is more clearly specified and avoids the collisions one might be able to produce currently. kind regards, Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEG/EPV+Xzd5wEoQQIwGIDJZdiWIoFAlivO+gACgkQwGIDJZdi WIpNtg/+MSZiDb56buMh2XS/g1ymQf28ppPnVatFOr+aWZQYAlNyAB7gexI6xNqL 3KxV2WP0275tssUP1sMc+OHg7uOJHclTyFXwMbauqh1599Zo+PuzNA9xFY2paPzn saz6OsvB1kakO0tunOgirzcKn93cvZZZIDzjCQyhwZUF+P6OaqItBfhvu8hVWaQr ayHqPBsJTCEkMXLOhCRcn8mSRZc/2Z3PqM79KbFZ+g8a88mlPFtK3gBn/Wbrzex3 TV3nw4s8G6ATAceszoNI5EdVIw8n3jiGvzvsRLSjf/N1yczeHZ5wYex1gZtGM3uH +Zjf9VfaFkTByOGq53Gh08Xf7OumKbhfHRM/6aEbmUsLDZgYWEXihdTNn89yat/g R1gtPvhgUxN7mYwU1oYfiCazeh2c7VRVr5YWw2Huxt6u0MiIllB8CEAuPB2cRwos z3jQyKCMtEwVNwGqF6QbaLtwJ7VPLpEdt0I267QitaRlXMIpo6wtX354G+eHydAL Ju9qbb9JARn81STPgmNVpQbiPy/FJhbd9MgTJFUMtDJlQto/fAxaK6wY1sjxEz/w zojIhM3iUYJoaycRin9b6+comyCZq6Z2LMc/+kX3jdXjQSxgQpzZUP0CwCXBd2KY zSBDhdViT9Rios8eO2E9TKkmFNkeeXByHbdOz0OBT+50jNltRbw= =NwlE -----END PGP SIGNATURE----- _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________