collision-resistance and self-signatures [was: Re: Non-SHA-1 fingerprint

(dredging this up from a week ago because i was re-thinking it today)

On 05/04/2009 06:04 PM, Daniel A. Nagy wrote:
> For fingerprints, MDC and self-signatures, collision-resistance does not 
> matter,
> only the one-way property. So I think it is totally safe to postpone 
> discussion
> until SHA3 is selected.
I think this point holds for fingerprints and MDCs.  I'm not convinced
that it holds for self-signatures, though.

Let's assume Alice has an SHA-1 collision-generator that she can coax
into generating two messages, A and B with the same digest, and that she
is meeting Bob for a keysigning at the pub on Friday.

She crafts message A, which looks like a regular public key/uid
signature, including friday evening's timestamp and her User ID (this is
exactly the information to be hashed in a non-self-signature -- maybe it
hides the collision-generating bits in one of the public key MPIs?).
Message B is the data within a self-signature over Bob's key, asserting
something Bob didn't want to assert (e.g. binding a user ID of a known
villain, or binding a false encryption subkey which Alice controls).
The collision-generating bits in B might be hidden here in a notation
subpacket or something similarly opaque.

At the pub, Alice gets Bob to sign her key (message A) at just the right
time, retrieves his signature, and transfers it to the new bogus
self-sig (message B).

I think this means we need to consider self-signatures made over a given
algorithm as potentially spoofable if the digest's collision-resistance
is weakened.  It is *not* just the one-wayness that matters for self-sigs.

Is this analysis reasonable?  What have i missed?

        --dkg

PS i know that no one has demonstrated anything remotely close to the
hypothesized oracle i've given Alice above.  The point is just that
collision-resistance affects self-sigs in ways that it does not affect
the MDC or the fingerprint.

signature.asc
Description: OpenPGP digital signature