[PATCH RFC] sslutil: use base64 for key fingerprints (BC)

Gregory Szorc gregory.szorc at gmail.com
Wed Jul 6 14:14:20 EDT 2016


On Wed, Jul 6, 2016 at 10:38 AM, Kevin Bullock <
kbullock+mercurial at ringworld.org> wrote:

> > On Jul 6, 2016, at 11:20, Matt Mackall <mpm at selenic.com> wrote:
> >
> > On Tue, 2016-07-05 at 23:36 -0700, Gregory Szorc wrote:
> >> # HG changeset patch
> >> # User Gregory Szorc <gregory.szorc at gmail.com>
> >> # Date 1467786847 25200
> >> #      Tue Jul 05 23:34:07 2016 -0700
> >> # Node ID 6873eb9a931da6cfcb40b2aba2f75260db5a8200
> >> # Parent  73b0a50ff97787557e517779a33644149d25d0a8
> >> sslutil: use base64 for key fingerprints (BC)
> >>
> >> When I initially implemented support for SHA-256 and SHA-512
> >> certificate pinning, I copied the strategy used for SHA-1 fingerprints,
> >> which was to use hex fingerprints. SHA-256 and SHA-512 hashes are much
> >> longer. Using base 16 to represent the hash can be cumbersome.
> >>
> >> This patch switches the fingerprints for newer fingerprints (read:
> >> everything in [hostsecurity]) to base64. The resulting strings are
> >> smaller and easier on the eyes in error messages.
> >
> > I've found it very useful to be able to check the fingerprint with my
> laptop's
> > browser. My browser's trust database is generally newer and more
> reliable than
> > the equivalent database (if any!) available to Mercurial on a random old
> server.
> > Breaking that seems like a bigger loss than is gained by compactness.
> >
> > For the sake of discussion, the current fingerprint size is:
> >
> >  n/4 + n/8 - 1
> >
> >  160: 59
> >  256: 95
> >  512: 191
>
> Can we make the colons optional in hex fingerprints (if they aren't
> already)? That takes it from the above to just n/4:
>
> 160: 40
> 256: 64
> 512: 128
>
> ...which isn't as good as base64, but retains the inspectability of the
> current arrangement.
>

The colons are already optional.

While I'm here, since I was on the fence about this and since mpm isn't a
fan, let's drop it.

In the future, we could add support for using base64 fingerprints in the
config. But I don't see a value in doing that today.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20160706/023e2838/attachment.html>


More information about the Mercurial-devel mailing list