search

erasmus-without-paper / ewp-specs-api-discovery

Specifications of EWP's Discovery API.
MIT License
3 stars 1 forks source link

Use SHA-256 fingerprint instead of SHA-1 fingerprint? #2

Closed wrygiel closed 8 years ago

wrygiel commented 8 years ago

In https://github.com/erasmus-without-paper/ewp-specs-api-echo/issues/2 @andydowling-ie wrote:

Suggest we replace SHA-1 (being deprecated) with SHA-256 or better for certificate fingerprints

and, later on:

I just realised that the choice of hash algorithm only applies if you're storing fingerprints and using them to compare certs. That said, certs with SHA-1/RSA are being deprecated and are being replaced with SHA-2.

wrygiel commented 8 years ago

If I understood you correctly:

  1. It is becoming possible to generate two self-signed certificates with the same SHA-1 fingerprint. (Or, to be more precise, to generate a self-signed certificate for a given SHA-1 fingerprint.)
  2. You are worried that some developers will use the fingerprint attribute to match the client's certificate, and allow it to access the resource, without validating the body of the <certificate> attribute.

Is this correct?

wrygiel commented 8 years ago

We are considering to host public key fingerprints only, so this becomes more important. I guess it won't hurt anyone if we switch to SHA-256, just in case. And it will make us look more secure once SHA-1 is finally broken. ;)

andydowling-ie commented 8 years ago

Sounds good to me :-)

Sent from my iPhone

On 12 Feb 2016, at 19:09, Wojciech Rygielski notifications@github.com wrote:

We are considering to host public key fingerprints only, so this becomes more important. I guess it won't hurt anyone if we switch to SHA-256, just in case. And it will make us look more secure once SHA-1 is finally broken. ;)

— Reply to this email directly or view it on GitHub.

wrygiel commented 8 years ago

Released in Discovery Manifest API v2.0.0.