ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Issuer Fingerprint

2016-06-14 08:21:47
On Tue, 14 Jun 2016 14:25, joe(_at_)cdt(_dot_)org said:
Sounds like it doesn't make sense to make this optional for signatures as
implicit signature identity could result in attacks where the attacker
changes an implicit identity and signature verification fails?

Well, it is a SHOULD feature:

   SHOULD   This word, or the adjective "RECOMMENDED", mean that there
   may exist valid reasons in particular circumstances to ignore a
   particular item, but the full implications must be understood and
   carefully weighed before choosing a different course.

I can imagine valid reasons not to use this; in particular if you want a
very short signature and the key is already known my other means.

An attacker who wants to mount a DoS can simply flip a bit in the
signature to force the verification to fail.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>