[PATCH RFC] sslutil: use base64 for key fingerprints (BC)
Kevin Bullock
kbullock+mercurial at ringworld.org
Wed Jul 6 13:38:17 EDT 2016
> On Jul 6, 2016, at 11:20, Matt Mackall <mpm at selenic.com> wrote:
>
> On Tue, 2016-07-05 at 23:36 -0700, Gregory Szorc wrote:
>> # HG changeset patch
>> # User Gregory Szorc <gregory.szorc at gmail.com>
>> # Date 1467786847 25200
>> # Tue Jul 05 23:34:07 2016 -0700
>> # Node ID 6873eb9a931da6cfcb40b2aba2f75260db5a8200
>> # Parent 73b0a50ff97787557e517779a33644149d25d0a8
>> sslutil: use base64 for key fingerprints (BC)
>>
>> When I initially implemented support for SHA-256 and SHA-512
>> certificate pinning, I copied the strategy used for SHA-1 fingerprints,
>> which was to use hex fingerprints. SHA-256 and SHA-512 hashes are much
>> longer. Using base 16 to represent the hash can be cumbersome.
>>
>> This patch switches the fingerprints for newer fingerprints (read:
>> everything in [hostsecurity]) to base64. The resulting strings are
>> smaller and easier on the eyes in error messages.
>
> I've found it very useful to be able to check the fingerprint with my laptop's
> browser. My browser's trust database is generally newer and more reliable than
> the equivalent database (if any!) available to Mercurial on a random old server.
> Breaking that seems like a bigger loss than is gained by compactness.
>
> For the sake of discussion, the current fingerprint size is:
>
> n/4 + n/8 - 1
>
> 160: 59
> 256: 95
> 512: 191
Can we make the colons optional in hex fingerprints (if they aren't already)? That takes it from the above to just n/4:
160: 40
256: 64
512: 128
...which isn't as good as base64, but retains the inspectability of the current arrangement.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
More information about the Mercurial-devel
mailing list