Re: [rtcweb] JSEP fingerprint hash requirements

Martin Thomson <martin.thomson@gmail.com> Mon, 21 October 2013 16:39 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A34A11E85D6 for <rtcweb@ietfa.amsl.com>; Mon, 21 Oct 2013 09:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.53
X-Spam-Level:
X-Spam-Status: No, score=-2.53 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpwV0VATb8sJ for <rtcweb@ietfa.amsl.com>; Mon, 21 Oct 2013 09:39:56 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) by ietfa.amsl.com (Postfix) with ESMTP id A856311E8532 for <rtcweb@ietf.org>; Mon, 21 Oct 2013 09:38:12 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id hm4so4313499wib.6 for <rtcweb@ietf.org>; Mon, 21 Oct 2013 09:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=d3NKKqbZFBWOb6rKOZl3LbowrHo2CPfQpraRau9hc8Y=; b=EWODzR6ZffP2ExkDKEatlbZCqZrcNLXMrq5UIp4VtjmMeqgUKH5dF5GMIR2mh+drvO qeByIMc4pxw33oMaO04nzyhWHWP3b9e57kwpX1XpZ+moG93Gh57U8+KyvyF2Y1vi7hnW zweIpkvbeZ8aRxXWGBIUpJ3I7D2tDTTWTk4uecyBn85L/H8qiljkBbfMzIZBCTzIkbiw QwtMw3Pr41TRQS0e1ziC88c85bpiwFChpqGzgsiDf6RhkDBTcqp7G7OpbSHA93Cqdc6e xDqgZDj0G+6xYK0cu+Pnc8+nHXcr1fhU+pDB+f1rq127AVAE+ytFI//R4CWjdlMvGIqL OoFA==
MIME-Version: 1.0
X-Received: by 10.180.92.100 with SMTP id cl4mr13650337wib.1.1382373491269; Mon, 21 Oct 2013 09:38:11 -0700 (PDT)
Received: by 10.227.202.194 with HTTP; Mon, 21 Oct 2013 09:38:11 -0700 (PDT)
In-Reply-To: <5265386A.2020005@alvestrand.no>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com> <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com> <CABkgnnVTv4jVZkCDHWKk_X8yb3VEGBLXh+sW00OCG6RXMNkpgA@mail.gmail.com> <5265386A.2020005@alvestrand.no>
Date: Mon, 21 Oct 2013 09:38:11 -0700
Message-ID: <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: text/plain; charset="UTF-8"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2013 16:39:57 -0000

On 21 October 2013 07:21, Harald Alvestrand <harald@alvestrand.no> wrote:
> When receiving browser supports both A and B, we could argue that they
> should be allowed to be different in the name of algorithm agility. But is
> there a real gain in security achieved by it?

Those are interesting cases, but they easily solved by saying
something like "MUST include/implement SHA-256".

I don't think that the hash used by the certificate is actually
relevant either.  Fingerprints are calculated, not observed or
extracted.