- From: J.C. Jones <jc@mozilla.com>
- Date: Fri, 15 Jul 2016 15:33:07 -0700
- To: Vijay Bharadwaj <vijaybh@microsoft.com>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAObDDPBA=kCN0yJaozbTQ2GJ=abEDds7H2dJn1m8zeeyyLrhOQ@mail.gmail.com>
Whoops. You're correct, of course. For some reason I wasn't considering that the RP ID is checked against the origin. Uh, happy Friday! Cheers, J.C. On Fri, Jul 15, 2016 at 3:29 PM, Vijay Bharadwaj <vijaybh@microsoft.com> wrote: > Thanks for the review, and thanks for getting Travis-CI working again. I > merged from master to trigger a new build and it works now. > > > > Nit: this isn’t entirely accurate: > > > > Ø We should all be comfortable then with SHA2's collision resistance > surviving for the life of the standard > > > > For a meaningful attack on this, you really need to break SHA256’s second > preimage resistance. > > > > Collision resistance means that you can find two strings that hash to the > same value. The odds of either such string being a valid RP ID are > infinitesimal. What an attacker really cares about is finding an RP ID that > hashes to the same value as someone else’s existing RP ID. That’s a second > preimage attack. > > > > This is important because historically second preimage attacks have been a > lot harder to find than collision attacks. For instance, MD5 is horribly > broken from a collision perspective but I’m not aware of a practical second > preimage attack. > > > > *From:* J.C. Jones [mailto:jc@mozilla.com] > *Sent:* Friday, July 15, 2016 1:48 PM > *To:* Vijay Bharadwaj <vijaybh@microsoft.com> > *Cc:* W3C WebAuthn WG <public-webauthn@w3.org> > *Subject:* Re: Please review: PR#144 on adding RP ID to signature format > > > > Vijay, > > This looks good to me (and I posted as such on the PR). > > Just for everyone's note, with this change we're defining SHA-256 as being > a required algorithm for producing the digest of the RP ID for the lifetime > of the spec. There's not an obvious clean way to provide crypto agility > here without having compat issues. We should all be comfortable then with > SHA2's collision resistance surviving for the life of the standard, or > resign ourselves to compat issues moving credentials from one system to > another. > > Cheers, > > J.C. > > > > On Thu, Jul 14, 2016 at 5:30 PM, Vijay Bharadwaj <vijaybh@microsoft.com> > wrote: > > Apologies, forgot to include the link: > https://github.com/w3c/webauthn/pull/144 > > > > > > *From:* Vijay Bharadwaj > *Sent:* Thursday, July 14, 2016 5:30 PM > *To:* W3C WebAuthn WG <public-webauthn@w3.org> > *Subject:* Please review: PR#144 on adding RP ID to signature format > > > > I mentioned this PR on the call yesterday – it adds the RP ID to the > signature format. Since the call, I’ve made another pass at the sections > and tightened up a few things in the wording. I also added the RP ID to the > ClientData since otherwise the RP has nothing to check the RP ID hash > against, and this is needed especially for makeCredential. > > > > Since I have been pushing commits to this over the course of the day, I > figured I’d let everyone know that I’m now done messing with it and it’s > ready for review. > > > > Please take a look at the PR and send feedback. Thanks! > > > > -- > > -Vijay > > >
Received on Friday, 15 July 2016 22:34:01 UTC