Are there any feasible security concerns for this method because of SHA-1 collision?

[kimdhamilton]

Just checking if we need to add this to Security Considerations.

[msporny]

Yes, Unhardened SHA-1 is broken both in theory and in practice. :)

https://shattered.io/

Since the did:git method relies on the initial commit hash in some way, it is possible to create two repos with the same commit hash where one of the repos is valid and the other contains an attack for versions of git that are older than v2.13.0.

Newer versions of git greater than v2.13.0 use Hardened SHA-1, so are not susceptible to the SHA-1 attack. Git is attempting to migrate away from SHA-1: https://github.com/git/git/blob/master/Documentation/technical/hash-function-transition.txt

The Security Considerations section should mention this as it's a critical vulnerability for versions of git v2.13.0 and the Git DID Method spec should probably have a "MUST NOT use git less than v.2.13.0 to implement the Git DID Method" in it.

[dhuseby]

@kimdhamilton thanks for asking this question and thanks @msporny for the recommendation. I agree with it completely. The security section should probably say that this spec only applies to git >= 2.13.0.

I would have preferred that git use SHA-512/256 since it is noticeably faster on 64-bit machines than SHA-256 without any difference in the size of the resulting digest. But a guy should be happy with good enough.

@kimdhamilton will you make the note in the security section of the spec?

[dhuseby]

Once that lands we can close this.

[kimdhamilton]

@kimdhamilton will you make the note in the security section of the spec?

Will do

[kimdhamilton]

Addressed with #11