[hybi] -09: SHA-1

Peter Saint-Andre <stpeter@stpeter.im> Fri, 17 June 2011 17:35 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 92ED111E80DF for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 10:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.496
X-Spam-Status: No, score=-101.496 tagged_above=-999 required=5 tests=[AWL=-0.974, BAYES_00=-2.599, SUBJ_ALL_CAPS=2.077, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tQYAVnugKMDU for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 10:35:43 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im []) by ietfa.amsl.com (Postfix) with ESMTP id 5A9A611E8071 for <hybi@ietf.org>; Fri, 17 Jun 2011 10:35:43 -0700 (PDT)
Received: from dhcp-64-101-72-207.cisco.com (dhcp-64-101-72-207.cisco.com []) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id AF197400A5 for <hybi@ietf.org>; Fri, 17 Jun 2011 11:36:10 -0600 (MDT)
Message-ID: <4DFB906D.2000905@stpeter.im>
Date: Fri, 17 Jun 2011 11:35:41 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: "hybi@ietf.org" <hybi@ietf.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080409060907020400000608"
Subject: [hybi] -09: SHA-1
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 17:35:44 -0000

In finishing my review of -09, I noticed the normative reference to
[FIPS.180-2.2002] for SHA-1. The WG might want to think about whether
the existing attacks against SHA-1 might raise concerns about a lack of
collision resistance for the Sec-WebSocket-Key header (see RFC 4270 and
RFC 6194 for details). It's probably worth saying something about this
in the security considerations.

My review is now complete. Thanks for listening!


Peter Saint-Andre