ietf-smime
[Top] [All Lists]

RE: SignatureAlgorithmIdentifiers

1998-07-09 16:34:35
-----Original Message-----
From: EKR [mailto:ekr(_at_)terisa(_dot_)com]
Sent: Thursday, July 09, 1998 3:56 PM
To: Blake Ramsdell
Cc: 'ietf-smime(_at_)imc(_dot_)org'
Subject: Re: SignatureAlgorithmIdentifiers

I agree that dsa should be id-dsa-with-sha-1 for security reasons.

What are the security reasons?  I may not have been paying attention in
class again, so sorry if this is review.

The idea was that in PKCS #7 v1.5, there was "the thing that you use to
digest the content [the digest algorithm]" and "the thing that you use
to unprotect the protected digest value so that you can compare it to
the thing you got with the thing that you used to digest the content
[which used to be called the digest encryption algorithm, but is now
called the signature algorithm, but which possibly should be called the
digest protection algorithm]".  id-dsa-with-sha1 seems to refer to the
combination of these two types of algorithms, similar to
md5WithRSAEncryption.

This wording is not very good, and I will probably explain it better
about five messages from now.

I do not, however, agree that we should use fooWithRSAEncryption.
It doesn't provide any obvious benefit that I can see, and
(as noted) has negative backwards compatibility consequences.
Moroever, it leaves open the question of what to do if the
OID in the SignatureAlgorithm doesn't match the OID in the
digestAlgorithm field.

A message signed with an RSA certificate and digested using the SHA-1
digest algorithm in current practice has rsaEncryption in the
signatureAlgorithm, and the digestAlgorithm contains sha-1, so I think
we are already in a situation that they don't match.  I do agree,
however, that it does not seem to provide any obvious benefit to use the
fooWithRSAEncryption in the signatureAlgorithm field.

Blake
--
Blake C. Ramsdell
Worldtalk Corporation
For current info, check http://www.deming.com/users/blaker
Voice +1 425 882 8861 x103  Fax +1 425 882 8060