On Thu, Feb 16, 2006 at 12:43:09AM +0000, Stephen Farrell allegedly wrote:
Fair enough, but the problem is that the suggested scheme seems to
be vulnerable if the less desirable hash algs are broken for collisions.
That's exactly the problem seen with current hash functions.
The signer might mark the rsa-md5 signature with "U=crap-alg" but the
attacker can happily generate a colliding message with no "U=" at all.
Is the scheme still worthwhile if that's the case? Or, have I
misinterpreted your scheme?
I think you've mis-interpreted. The U= goes in the Selector of the
downgraded algorithm, not the signature.
Regardless of what the attacker does to the message, a verifier *has*
to fetch a Selector. If that Selector tells the verifier that they are
using a downgraded algorithm the verifier can act accordingly: ie
accept the risk if that's the best they can verify or fail the verify
if a higher grade sig isn't present.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html