> On 28 Jun 2022, at 08:37, Daniel Fett <fett=40danielfett...@dmarc.ietf.org>
> wrote:
>
> […]
>
>>
>> The fact that HASH(SALT | CLAIM-VALUE) is vulnerable to length extension
>> attacks is also troubling, even if I can’t see an immediate attack. But it’s
>> a weird property that Bob, for example, could make a commitment to some
>> extension of one of Alice’s claims without actually knowing her claim value.
> That would mean the Bob would need to be an issuer in this case?
Well, that depends on whether the claims are blinded from the issuer too or
not? I don’t think the draft specifies this at the moment. I can imagine a
privacy-oriented OIDC OP that only stores/sees blinded identity claims for
example.
>>
>> You can address both of these issues by instead using a compactly committing
>> PRF [1], such as HMAC- i.e., HMAC-HASH(SALT, CLAIM-VALUE) rather than simple
>> prefix hash.
> Given the advantages, we will consider using an HMAC.
Great, I think using HMAC just eliminates any concerns, however remote. This
use of HMAC is also identical to HKDF-Extract, which has quite a lot of
argument backing it up for being a strong computational extractor, where simple
hashes are often not (see RFC 5869 and particularly the original paper it links
to, which discusses these topics in depth).
[…]
— Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
