In general, a signature is only as strong as the weaker of the
public key algorithm and the hash algorithm that is used to make it.
A forged signature using a weak hash algorithm is no good. Ideally an
implementation will not implement weak public key or hash algorithms.
If it does, it should display to the end user the public key and hash
algorithms used in a signature, so that he can judge the strength of
the signature.
Hal
ulf(_at_)fitug(_dot_)de (Ulf =?iso-8859-1?Q?M=F6ller?=) writes:
Did it ever occur to anyone that allowing different hash algorithms
with DSA reduces security rather than increasing it?
In DSA signatures, hash algorithm selector is secured only with the
selected hash algorithm itself. So, if SHA-1 is insecure, you can
forge signatures even if the key owner never uses SHA-1. If SHA-1 is
secure, but any other permissible hash algorithm is insecure, you can
also forge signatures. That would not be the case if OpenPGP had
followed the DSS.