[PATCH RFC] sslutil: use base64 for key fingerprints (BC)
gregory.szorc at gmail.com
Wed Jul 6 14:14:20 EDT 2016
On Wed, Jul 6, 2016 at 10:38 AM, Kevin Bullock <
kbullock+mercurial at ringworld.org> wrote:
> > On Jul 6, 2016, at 11:20, Matt Mackall <mpm at selenic.com> wrote:
> > On Tue, 2016-07-05 at 23:36 -0700, Gregory Szorc wrote:
> >> # HG changeset patch
> >> # User Gregory Szorc <gregory.szorc at gmail.com>
> >> # Date 1467786847 25200
> >> # Tue Jul 05 23:34:07 2016 -0700
> >> # Node ID 6873eb9a931da6cfcb40b2aba2f75260db5a8200
> >> # Parent 73b0a50ff97787557e517779a33644149d25d0a8
> >> sslutil: use base64 for key fingerprints (BC)
> >> When I initially implemented support for SHA-256 and SHA-512
> >> certificate pinning, I copied the strategy used for SHA-1 fingerprints,
> >> which was to use hex fingerprints. SHA-256 and SHA-512 hashes are much
> >> longer. Using base 16 to represent the hash can be cumbersome.
> >> This patch switches the fingerprints for newer fingerprints (read:
> >> everything in [hostsecurity]) to base64. The resulting strings are
> >> smaller and easier on the eyes in error messages.
> > I've found it very useful to be able to check the fingerprint with my
> > browser. My browser's trust database is generally newer and more
> reliable than
> > the equivalent database (if any!) available to Mercurial on a random old
> > Breaking that seems like a bigger loss than is gained by compactness.
> > For the sake of discussion, the current fingerprint size is:
> > n/4 + n/8 - 1
> > 160: 59
> > 256: 95
> > 512: 191
> Can we make the colons optional in hex fingerprints (if they aren't
> already)? That takes it from the above to just n/4:
> 160: 40
> 256: 64
> 512: 128
> ...which isn't as good as base64, but retains the inspectability of the
> current arrangement.
The colons are already optional.
While I'm here, since I was on the fence about this and since mpm isn't a
fan, let's drop it.
In the future, we could add support for using base64 fingerprints in the
config. But I don't see a value in doing that today.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mercurial-devel