[mdx] MDQ draft and SHA-1
Ian Young
ian at iay.org.uk
Mon Jan 13 07:55:35 PST 2020
Hi folks,
It has been some time since we've had anything significant to do to the query protocol draft. However, there has been some discussion on other lists of the protocol's use of SHA-1 in light of that algorithm's gradual crumbling to pieces. It's my belief that the recent results don't change anything for either SAML or MDQ, but given that the draft needs refreshing to stay unexpired anyway I have reworked the security considerations section to clarify this.
You can find the current editor's draft here:
https://github.com/iay/md-query/blob/master/draft-young-md-query-saml.txt
Section 4.2 "Use of SHA-1 in Transformed Identifiers" (ca. line 311) has been largely rewritten.
There's an explanation of those changes in A.13 (ca. line 593).
I have also added informative references to the SHAttered and Shambles attacks.
The other substantive change I've made this time round, which I can't imagine anyone objecting to (even before this month's announcement) is that I have changed SHA-1 from a SHOULD NOT to a MUST NOT for use in any digital signature on returned metadata.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: not available
URL: <http://lists.iay.org.uk/pipermail/mdx-iay.org.uk/attachments/20200113/b7313b25/attachment.bin>
More information about the mdx
mailing list