- From: Trevor Perrin <trevp@trevp.net>
- Date: Mon, 24 Mar 2014 23:10:27 -0700
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Brad, On Mon, Mar 24, 2014 at 9:27 PM, Brad Hill <hillbrad@gmail.com> wrote: > Because it's a standard, so we don't re-invent the wheel every time we or > someone else does something like this. It's an RFC, but I'm not aware of anyone using it. > And maybe it's 20 pages because it > went through a cycle of peer review at the IETF that addressed hopefully > most of the issues and edge cases that we would probably painfully > recapitulate, one at a time, over the next year if we did just try another > one-off. What are some issues and edge cases you think it's solving? 6920 has an IANA registry for hash algorithms, but doesn't include SHA-512, one of your mandatory algorithms. It does have SHA-256 truncated at different levels. But it doesn't give meaningful guidance on when this is safe. So if you want to allow truncation, you'll still have to discuss it yourself. 6920 lets you specify content-type. But why wouldn't you save those bytes and hash the content-type? I'm still not seeing what this gives you. Trevor
Received on Tuesday, 25 March 2014 06:10:54 UTC