> On 28 Jun 2022, at 10:28, Neil Madden <neil.mad...@forgerock.com> wrote:
>
>
>> On 28 Jun 2022, at 08:37, Daniel Fett <fett=40danielfett...@dmarc.ietf.org
>> <mailto:fett=40danielfett...@dmarc.ietf.org>> wrote:
>>
>> […]
>>
>>>
>>> The fact that HASH(SALT | CLAIM-VALUE) is vulnerable to length extension
>>> attacks is also troubling, even if I can’t see an immediate attack. But
>>> it’s a weird property that Bob, for example, could make a commitment to
>>> some extension of one of Alice’s claims without actually knowing her claim
>>> value.
>> That would mean the Bob would need to be an issuer in this case?
>
> Well, that depends on whether the claims are blinded from the issuer too or
> not? I don’t think the draft specifies this at the moment. I can imagine a
> privacy-oriented OIDC OP that only stores/sees blinded identity claims for
> example.
Ah, I’ve just seen in section 5.1.1 that the issuer actually hashes a JSON
array rather than the raw concatenation of the salt and the claim value, so
this is not vulnerable to length extension anyway. That section also addresses
my other comments about entropy and unique salts per claim. I’d still recommend
using HMAC anyway, for the reasons I added in my last message, but it’s not as
urgent.
— Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
