- From: Joshua Cranmer 🐧 <pidgeot18@gmail.com>
- Date: Mon, 23 Feb 2015 12:17:49 -0600
- To: public-webcrypto-comments@w3.org
Hello, Is there any reason why HMAC-MD5 support is not in the list of acceptable algorithms? I'm presently building a SASL client implementation for use within email clients that relies on the Web Crypto API to implement the various crypto-backed challenge-response authentication mechanisms. However, I need HMAC-MD5 support to properly implement the CRAM-MD5 mechanism (cf. <http://tools.ietf.org/html/rfc2195>), which is by far the most commonly-supported of these challenge-response protocols in my survey of largest email domains. I'm aware that MD5 is no longer secure against collision attacks, but HMAC-MD5 does not (to my knowledge) rely on collision resistance, so HMAC-MD5 does not seem to warrant exclusion merely on the basis that it is insecure. -- Joshua Cranmer Thunderbird and DXR developer Source code archæologist
Received on Monday, 23 February 2015 18:18:28 UTC