[hybi] -09: SHA-1

Peter Saint-Andre <stpeter@stpeter.im> Fri, 17 June 2011 17:35 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92ED111E80DF for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 10:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.496
X-Spam-Level:
X-Spam-Status: No, score=-101.496 tagged_above=-999 required=5 tests=[AWL=-0.974, BAYES_00=-2.599, SUBJ_ALL_CAPS=2.077, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQYAVnugKMDU for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 10:35:43 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9A611E8071 for <hybi@ietf.org>; Fri, 17 Jun 2011 10:35:43 -0700 (PDT)
Received: from dhcp-64-101-72-207.cisco.com (dhcp-64-101-72-207.cisco.com [64.101.72.207]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id AF197400A5 for <hybi@ietf.org>; Fri, 17 Jun 2011 11:36:10 -0600 (MDT)
Message-ID: <4DFB906D.2000905@stpeter.im>
Date: Fri, 17 Jun 2011 11:35:41 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: "hybi@ietf.org" <hybi@ietf.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080409060907020400000608"
Subject: [hybi] -09: SHA-1
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 17:35:44 -0000

In finishing my review of -09, I noticed the normative reference to
[FIPS.180-2.2002] for SHA-1. The WG might want to think about whether
the existing attacks against SHA-1 might raise concerns about a lack of
collision resistance for the Sec-WebSocket-Key header (see RFC 4270 and
RFC 6194 for details). It's probably worth saying something about this
in the security considerations.

My review is now complete. Thanks for listening!

Peter

-- 
Peter Saint-Andre
https://stpeter.im/