On Fri, Feb 03, 2006 at 07:09:06PM +0100, Konrad Rosenbaum wrote:
Consequently one would also need to scrap the logic that a signature is
invalid if it predates the key (that's somewhere in RFC2440).
I disagree. I'm merely advocating moving the key creation time into the self
signature, which is the only obstacle to forgery anyway:
If you give me a signed document that predates the key along with that key,
I can change the date in the key, re-calculate the hash, change the
reference to the key in the signature and voila, I have a valid signature,
without access to any private info. The only thing stopping me is the
self-signature on the key, which also hashes the key creation date. So, that
self-signature is the real cryptographic protection, not the reference in the
document signature. Thus, one does not reduce security a bit by moving the key
creation date into the self-signature. That is where it belongs.
Why not: hash the _complete_ public key packet _as_is_ without any
The computational load of hashing a few bytes more and of slicing them first
should be about identical.
It is very easy to implement (read as: less potential security holes through
programming mistakes and higher interoperability).
It is much more resistant against upcoming attacks than a selective model.
I agree. This is why I am calling for throwing the key creation date out
of the key packet. The key packet should only contain an algorithm identifier,
the key material and possibly deterministic functions thereof.