Stephen Farrell wrote:
Mark,
Now that I've reset the brain a bit:-)
Mark Delany wrote:
The gap created by the signer is the problem here so the rule needs to
be that a signer must sign from strongest to weakest, WITH NO GAPS.
The assumption that all signers and verifiers have the same idea of an
absolute strength-order for hash algorithms is a bit optimistic.
For example, some countries do insist on national algorithms being
supported - see rfc 4357 for example. I don't think I want to get into
a dispute about whether the Gost-hash is better or worse than sha-256
(or whatever) - do you?
If you can't rank algorithms, is there any meaningful concept of a
"downgrade attack"?
I'm sort of wondering though if Mark's problem here might be just as
easily solved by having a "current"/"next" kind of routine. That is,
only allow two in play at any one time, where < n-1 is deprecated.
Considering that 2822 is not nimble (ie, no ability to negotiate
e2e), is there any real likelihood that a reasonable receiver will
be two versions behind? It sort of strikes me like 40 bit only rc4
ssl: should we even care about such lame receivers?
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html