Update SHA1 text to allow for better hashing mechanisms

[aaronpk]

Here is what the WebCryptoAPI has done, we should probably use text like this:

https://www.w3.org/TR/WebCryptoAPI/#sha

[julien51]

Thanks! I'll use that.

[aaronpk]

It sounds like we'll need to change the text to explicitly allow alternative hashing algorithms to be used, where the key name of the signature corresponds to the hashing algorithm being used. Since it's a key name, there needs to be an explicit list of allowed hashes, otherwise it would be impossible to know which one is being used.

[aaronpk]

Proposed new text:

"The X-Hub-Signature header's value must be in the form method=signature where method is one of the recognized algorithm names and signature is the hexadecimal representation of the signature. The signature MUST be computed using the HMAC algorithm [RFC6151] with the request body as the data and the hub.secret as the key."

(It looks like RFC2104 was replaced by RFC6151)

Then add a new section:

Recognized Algorithm Names

The following algorithms are added as recognized algorithm names, as specified by [FIPS PUB 180-4]:

• "sha1"
  • The SHA-1 algorithm as specified in Section 6.1 of [FIPS PUB 180-4]
• "sha256"
  • The SHA-256 algorithm as specified in Section 6.2
• "sha384"
  • The SHA-384 algorithm as specified in Section 6.5
• "sha512"
  • The SHA-512 algorithm as specified in Section 6.4