pubsubhubbub/PubSubHubbub

PuSH 0.4 recommends old SHA1 signatures

aaronpk opened this issue · 2 comments

Right now the spec says signatures for authed pings must be SHA1. http://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.4.html#authednotify

Given that SHA1 is deprecated, it would seem a new solution is needed for the spec. I'm not sure the best step forward, since simply updating it to use SHA256 will likely encounter the same problem in a few years. Maybe going the route that JWT took where there is another property that indicates the signature method, so the spec doesn't have to change to support new crypto functions? On the other hand that would seem to lead to less interoperable solutions since clients couldn't guarantee availability of a specific signature method.

As the signature is specified as 'sha1=signature' it would just be a matter of the spec allowing other algorithm names in there and then perhaps provide a mechanism for negotiating what algorithm to use by perhaps the subscriber telling the hub what algorithms it supports and the server picking the one it prefers amongst them?

Replaced by w3c/websub#4