The security notes still don't mention that there is a cryptographic
flaw in v4 signatures. This needs to be fixed, or if there are good
reasons for not fixing it, it must at least be explained in the
document.
As I explained on January 19th:
| > I think I'm confused here. Suppose I have an implementation that does DSA
| > with SHA-1. Let us also suppose that Tiger gets broken. How does this
| > affect my DSA/SHA signature?
|
| Then if I want to forge a signature, I find a message for which the
| Tiger hash value is identical to your original SHA-1 hash. Unless
| your original signature was a v3 RSA signature, nothing in OpenPGP
| prevents me from setting the hash algorithm identifier for that
| message to Tiger. That's why the RSA value in PKCS #1 contains a
| DigestInfo, and why the DSS specifies SHA-1 as the only signature
| algorithm. Putting the hash algorithm identifier in the data
| protected by that very hash algorithm is pointless.
|
| That clearly is a cryptographic weakness in the protocol, so it has to
| be mentioned in the RFC.
Most of the other issues I raised haven't been addressed either, but
as things are it looks like it would be pointless to invest a lot of
time in OpenPGP.