[http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616
Chaim Geretz <chaim.geretz@idt.net> Wed, 28 December 2016 19:19 UTC
Return-Path: <chaim.geretz@idt.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5D8129564 for <http-auth@ietfa.amsl.com>; Wed, 28 Dec 2016 11:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=idt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3iEjiJvH97E for <http-auth@ietfa.amsl.com>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C6A312945D for <http-auth@ietf.org>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
Received: by mail-oi0-x22f.google.com with SMTP id v84so379123701oie.3 for <http-auth@ietf.org>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=idt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xxgD71ss3ZbovkSvV40YABLjDPGh4G5ess281/Kzjro=; b=muG9R2XD10iHbss4avpF3LrkZIr5PmbpX61RAiup/EdlE6KXJLXcPj29R1F6Ds5LMs 6a4TE8m5/a3WntYyJNm14oS2FnglhLnWvFKc3a1CWZTju7UPO+sRZ0G40QRM0AXGi6rG 690hBYFMksW7mmRCFzdlvLjLM1mH5YKmTvdXDCHcZ1C49ZWyZs7s63R6koycOgXmhvVG J4p23TarvwCx3Mo2cgzecGvVhiD3FSiKgUzvqjoGOF940ISqDNJ6SNaoPAnkwqXz8GKS AEeFikEj2B+ogiQHTShqVkST4KgUMWIPdcFD8CZnWLdbOJ1c8EIzVIPhEf7o7vMIkR06 NwRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xxgD71ss3ZbovkSvV40YABLjDPGh4G5ess281/Kzjro=; b=mjhHgMxwb6uSI/BdoPjrKYIS16UajO+ULobQhIC7ruYZnbDqUrq8sOV6/nuxMOrQCX PNe8b6C/mD+lohKFXArIEzBeRRtA7AOTttfrOvEFMgXhX+UiTgV2qnbm6jOKk9liXWYj 7f6TRQCjyzd4WfBvVKKhIvwJfgLShI6y3OSIgiZ+qvw1vMFNqh3iwYAG6Zq4/KnPUBaA TLGrCgwyliamKZMheHgSCEv2RFLs1Vov1g1u980Jhl36kIITyZWcnvSF0tiwn3qSsVzB gk4NqWjjlNgzEs7LEtOkqETOYyKvpio/PSYVHPW67RdM9qDJkIDnqaf8HZ80sY0Oavl/ TOEg==
X-Gm-Message-State: AIkVDXIxEc/ydWDYDcVCS8FcN57OAAEQGack98uJQQDG6ycJo7N9qaAk9EZxMvAwtPsboIlEv/lv02WAYtAPi0kX
X-Received: by 10.202.240.195 with SMTP id o186mr18732817oih.28.1482952781488; Wed, 28 Dec 2016 11:19:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.9.153 with HTTP; Wed, 28 Dec 2016 11:19:21 -0800 (PST)
From: Chaim Geretz <chaim.geretz@idt.net>
Date: Wed, 28 Dec 2016 14:19:21 -0500
Message-ID: <CAP-tQRitZ6xfFWZA00S3xfnaGaCjOgtaxyO2ZW-DQgDX7+MN1Q@mail.gmail.com>
To: http-auth@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c096318c277560544bcd95f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/mSghM0Y8akYjhygZFUYJHdgeMvg>
X-Mailman-Approved-At: Wed, 28 Dec 2016 11:53:08 -0800
Subject: [http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Dec 2016 19:19:44 -0000
Greetings, I think that RFC 7616 needs to define or point to a document describing how the various hash algorithms mentioned in Section 3.2 are to be implemented. Inspecting the values used in Section 3.9.2 for userhash and response shows that they are generated by truncating the hex output of a sha512 hash to the initial 64 hex characters. If this is the desired implementation of SHA512/256 then this should be mentioned in the RFC. If the intention is to use SHA512/256 as described in FIPS 180.4 then this should be mentioned, and the values changed to userhash="793263caabb707a56211940d90411ea4a575adeccb7e360aeb624ed06ece9b0b" and response= "3798d4131c277846293534c3edc11bd8a5e4cdcbff78b05db9d95eeb1cec68a5" Chaim Geretz
- [http-auth] Definition of SHA256 and SHA512/256 a… Chaim Geretz
- Re: [http-auth] Definition of SHA256 and SHA512/2… Chaim Geretz
- Re: [http-auth] Definition of SHA256 and SHA512/2… Chaim Geretz
- Re: [http-auth] Definition of SHA256 and SHA512/2… Rifaat Shekh-Yusef