Sorry to drag this out again, I've had my head down coding.
Was there a resolution on the signature algorithm identifier
issue for dsa-with-sha1?
I think we should stick with a compatible oid representation
for the RSA-based signatures, but don't care either
way on the dsa-with-sha1 representation.
I wanted to make one comment:
EKR had posted a note regarding a digest subsitution
attack based on the fact that DSA signatures do not include
the digest OID in them, whereas PKCS-1 format
RSA signatures do, and are not susceptible.
Using the combined OID dsa-with-sha1 does not
address this problem for DSA,
since the combined oid is still not under the
"stronger" portion of the signature (raw DSA).
[That is, if there is any digest that is
permissible to be used with DSA that is at
some point compromised to the extent Eric mentions,
then the message, digest value, and the combined oid can
still be substituted. This is another minor botch in the
DSS design: it is DSA applied to the pure digest value.]
Putting the oids in the authenticated attributes field
wouldn't help either since it is only digested.
Anil R. Gangolli
Structured Arts Computing Corporation