Re: [rtcweb] JSEP fingerprint hash requirements

Harald Alvestrand <harald@alvestrand.no> Tue, 22 October 2013 12:24 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9266011E835B for <rtcweb@ietfa.amsl.com>; Tue, 22 Oct 2013 05:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.556
X-Spam-Level:
X-Spam-Status: No, score=-110.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJnPKL-50mzS for <rtcweb@ietfa.amsl.com>; Tue, 22 Oct 2013 05:24:24 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id A099E11E81A0 for <rtcweb@ietf.org>; Tue, 22 Oct 2013 05:24:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 34C3D39E12D; Tue, 22 Oct 2013 14:24:23 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUxAr7Q0i3zw; Tue, 22 Oct 2013 14:24:10 +0200 (CEST)
Received: from [192.168.1.17] (unknown [188.113.88.47]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 0B18B39E062; Tue, 22 Oct 2013 14:24:10 +0200 (CEST)
Message-ID: <52666E6E.5060206@alvestrand.no>
Date: Tue, 22 Oct 2013 14:24:14 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com> <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com> <CABkgnnVTv4jVZkCDHWKk_X8yb3VEGBLXh+sW00OCG6RXMNkpgA@mail.gmail.com> <5265386A.2020005@alvestrand.no> <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com>
In-Reply-To: <CABkgnnUpwep1Gw+3t+bdc-vvatod-vQBpydSfcAqM93fk4vm+Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 12:24:30 -0000

On 10/21/2013 06:38 PM, Martin Thomson wrote:
> On 21 October 2013 07:21, Harald Alvestrand <harald@alvestrand.no> wrote:
>> When receiving browser supports both A and B, we could argue that they
>> should be allowed to be different in the name of algorithm agility. But is
>> there a real gain in security achieved by it?
> Those are interesting cases, but they easily solved by saying
> something like "MUST include/implement SHA-256".

Until SHA-512 comes along.

If I don't support SHA-512, and the certificate says you have to use 
SHA-512 to verify the certificate, but I have a fingerprint using 
SHA-256, am I exposed to some attack I'd have been protected against if 
I understood SHA-512, or not?
>
> I don't think that the hash used by the certificate is actually
> relevant either.  Fingerprints are calculated, not observed or
> extracted.

Well - they are extracted from SDP, and compared, which is a form of 
observation.... but you may be thinking of something else; I find that 
sentence hard to parse.