Re: [webauthn] Random prefixes to reduce hash requirement of RSA+SHA-1 to TCR from Mike Jones via GitHub on 2018-02-26 (public-webauthn@w3.org from February 2018)

From: Mike Jones via GitHub <sysbot+gh@w3.org>
Date: Mon, 26 Feb 2018 18:25:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-368599166-1519669508-sysbot+gh@w3.org>

Thanks for the idea, @agl .  For what it's worth, as WebAuthn / FIDO 2 are using RSA-SSA-SHA-1, what we're concerned about is the TPM 1 signing output using this algorithm, which have no way of altering.  But yes, we have to get past the Designated Experts to even register the algorithm.

I plan to work with Sean Turner (also one of the DEs) at IETF in London on what we should do.  Sean was one of the authors of https://tools.ietf.org/html/rfc6194 (Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms), and so is an authority on the Subject.


-- 
GitHub Notification of comment by selfissued
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/822#issuecomment-368599166 using your GitHub account

Received on Monday, 26 February 2018 18:25:16 UTC