Re: [rtcweb] JSEP fingerprint hash requirements
Eric Rescorla <ekr@rtfm.com> Tue, 22 October 2013 15:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D6411E81B5 for <rtcweb@ietfa.amsl.com>; Tue, 22 Oct 2013 08:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XK2F+ANhHwDP for <rtcweb@ietfa.amsl.com>; Tue, 22 Oct 2013 08:40:23 -0700 (PDT)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) by ietfa.amsl.com (Postfix) with ESMTP id 074F811E81B3 for <rtcweb@ietf.org>; Tue, 22 Oct 2013 08:40:22 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id x12so7977809wgg.4 for <rtcweb@ietf.org>; Tue, 22 Oct 2013 08:40:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=CdpnVMu8QqY0MvsUFx5E0AnrT6ARtWWEcpGpUks6Lbg=; b=nAs+odkRRCwNWOrDvXrlNPLNSptZvog9eCjl8604BVgmANZQdbHd0Ysqwbsge9Qhlb 5EtJopqIdm6XxPCBw/ytA8zzGLz2MDERXXwMYPuBeKlQVsFB9otuw5zYxHcGfG5i1L/8 uSp5KvtnMm+N8YZ7ncXTANvAq3AegTsf3ncRRoA8EDytk7d9a47Eu/+HMv/8JDWAlnnf ipBYcYuVdagCTShMgcnSEf6iNhnT8RM1MEoBBXmKCcjABFyNXiUl98SnKGVY/n04f/aM vulBhxZpyGprtCWZit/s62f74Y/0VJvywYuvbU0hk80EoRvLJf66uQkcumuX36UQ+JtF 3eDg==
X-Gm-Message-State: ALoCoQmRu6FWvyO7LsiA5GiZDG56MPMDpBjyz7+Thy5eYJzQs8cR+hsi3eTRTYm3uRbtgqqM3efk
X-Received: by 10.180.210.231 with SMTP id mx7mr15327915wic.5.1382456422033; Tue, 22 Oct 2013 08:40:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.152.137 with HTTP; Tue, 22 Oct 2013 08:39:41 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <52666E6E.5060206@alvestrand.no>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com> <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com> <CABkgnnVTv4jVZkCDHWKk_X8yb3VEGBLXh+sW00OCG6RXMNkpgA@mail.gmail.com> <5265386A.2020005@alvestrand.no> <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com> <52666E6E.5060206@alvestrand.no>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 22 Oct 2013 08:39:41 -0700
Message-ID: <CABcZeBNLYOJUeNe_7yF6p66uJ9f0oHkkhUBdcZ3+143L6rhmDg@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: multipart/alternative; boundary="001a11c25d32f3f0f404e9563784"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 15:40:30 -0000
On Tue, Oct 22, 2013 at 5:24 AM, Harald Alvestrand <harald@alvestrand.no>wrote: > On 10/21/2013 06:38 PM, Martin Thomson wrote: > >> On 21 October 2013 07:21, Harald Alvestrand <harald@alvestrand.no> wrote: >> >>> When receiving browser supports both A and B, we could argue that they >>> should be allowed to be different in the name of algorithm agility. But >>> is >>> there a real gain in security achieved by it? >>> >> Those are interesting cases, but they easily solved by saying >> something like "MUST include/implement SHA-256". >> > > Until SHA-512 comes along. > > If I don't support SHA-512, and the certificate says you have to use > SHA-512 to verify the certificate, but I have a fingerprint using SHA-256, > am I exposed to some attack I'd have been protected against if I understood > SHA-512, or not? I'm not quite sure I follow. If the certificate isn't being third-party validated, it's irrelevant what digest was used to sign the certificate. -Ekr > I don't think that the hash used by the certificate is actually >> relevant either. Fingerprints are calculated, not observed or >> extracted. >> > > Well - they are extracted from SDP, and compared, which is a form of > observation.... but you may be thinking of something else; I find that > sentence hard to parse. > >
- [rtcweb] JSEP fingerprint hash requirements Kevin Dempsey
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Eric Rescorla
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Cullen Jennings (fluffy)
- Re: [rtcweb] JSEP fingerprint hash requirements Justin Uberti
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Justin Uberti
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Eric Rescorla
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson