On Sun, Mar 26, 2006 at 10:02:18AM -0800, "Hal Finney" wrote:
* The DSA algorithm will work with any hash, but it is
sensitive to the quality of the hash algorithm. An implementation
should take care which hash algorithms are used with DSA.
Verifiers should be aware that even if the signer used a strong
hash, an attacker could have modified a signature to use a
weak one. Only signatures issued using acceptably strong hash
algorithms should be accepted as valid.
On re-reading this I have two improvements. The second sentence is
redundant. And the last sentence cautions verifiers about what hash
was used when the sig was "issued", but the verifier doesn't know this
(that is the point), it only knows what it sees:
* The DSA algorithm will work with any hash, but it is
sensitive to the quality of the hash algorithm. Verifiers
should be aware that even if the signer used a strong hash,
an attacker could have modified a signature to use a weak one.
Only signatures using acceptably strong hash algorithms should
be accepted as valid.
Yes, I made a similar change in the "round 2" changes for the same
reason. I've fixed the redundant second sentence for round 3.
David