Re: [rtcweb] JSEP fingerprint hash requirements
Harald Alvestrand <harald@alvestrand.no> Mon, 21 October 2013 17:53 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B2A11E836C for <rtcweb@ietfa.amsl.com>; Mon, 21 Oct 2013 10:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxRiUFzgYz5X for <rtcweb@ietfa.amsl.com>; Mon, 21 Oct 2013 10:53:45 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 7852311E8377 for <rtcweb@ietf.org>; Mon, 21 Oct 2013 10:53:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 2F2C639E095; Mon, 21 Oct 2013 19:53:11 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EN0ToASKmrB; Mon, 21 Oct 2013 19:53:10 +0200 (CEST)
Received: from [192.168.1.17] (unknown [188.113.88.47]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 7DF8939E070; Mon, 21 Oct 2013 19:53:10 +0200 (CEST)
Message-ID: <52656A0A.5010006@alvestrand.no>
Date: Mon, 21 Oct 2013 19:53:14 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com> <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com> <CABkgnnVTv4jVZkCDHWKk_X8yb3VEGBLXh+sW00OCG6RXMNkpgA@mail.gmail.com> <5265386A.2020005@alvestrand.no> <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com>
In-Reply-To: <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2013 17:53:57 -0000
On 10/21/2013 06:38 PM, Martin Thomson wrote: > On 21 October 2013 07:21, Harald Alvestrand <harald@alvestrand.no> wrote: >> When receiving browser supports both A and B, we could argue that they >> should be allowed to be different in the name of algorithm agility. But is >> there a real gain in security achieved by it? > Those are interesting cases, but they easily solved by saying > something like "MUST include/implement SHA-256". > > I don't think that the hash used by the certificate is actually > relevant either. Fingerprints are calculated, not observed or > extracted. Welll... if the hash is what I think it is, you need to compute the hash of the certificate (in the algorithm specified in the certificate) in order to verify the RSA signature of the certificate. So if you don't understand the hash algorithm the certificate specifies .... you can't verify the certificate's signature, and you are open to a forged-certificate attack. Again - saying that they have to be the same means that you only have to deal with one bad situation (you understand neither), and not three bad situations (you are toast because there's one of them you don't understand). But I'm not a REAL crypto expert. I may have misunderstood something.
- [rtcweb] JSEP fingerprint hash requirements Kevin Dempsey
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Eric Rescorla
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Cullen Jennings (fluffy)
- Re: [rtcweb] JSEP fingerprint hash requirements Justin Uberti
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Justin Uberti
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson
- Re: [rtcweb] JSEP fingerprint hash requirements Harald Alvestrand
- Re: [rtcweb] JSEP fingerprint hash requirements Eric Rescorla
- Re: [rtcweb] JSEP fingerprint hash requirements Martin Thomson