voxpelli
commented
8 years ago As the signature is specified as 'sha1=signature' it would just be a matter of the spec allowing other algorithm names in there and then perhaps provide a mechanism for negotiating what algorithm to use by perhaps the subscriber telling the hub what algorithms it supports and the server picking the one it prefers amongst them?
aaronpk
Right now the spec says signatures for authed pings must be SHA1. http://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.4.html#authednotify
Given that SHA1 is deprecated, it would seem a new solution is needed for the spec. I'm not sure the best step forward, since simply updating it to use SHA256 will likely encounter the same problem in a few years. Maybe going the route that JWT took where there is another property that indicates the signature method, so the spec doesn't have to change to support new crypto functions? On the other hand that would seem to lead to less interoperable solutions since clients couldn't guarantee availability of a specific signature method.