ietf-openpgp
[Top] [All Lists]

DSA signatures

1999-03-24 11:30:45
Did it ever occur to anyone that allowing different hash algorithms
with DSA reduces security rather than increasing it?

In DSA signatures, hash algorithm selector is secured only with the
selected hash algorithm itself. So, if SHA-1 is insecure, you can
forge signatures even if the key owner never uses SHA-1. If SHA-1 is
secure, but any other permissible hash algorithm is insecure, you can
also forge signatures. That would not be the case if OpenPGP had
followed the DSS.

<Prev in Thread] Current Thread [Next in Thread>