[Top] [All Lists]

Re: SignatureAlgorithmIdentifiers

1998-08-12 11:58:23
"Anil R. Gangolli" <gangolli(_at_)StructuredArts(_dot_)com> writes:

Sorry to drag this out again, I've had my head down coding.
Was there a resolution on the signature algorithm identifier
issue for dsa-with-sha1?

I think we should stick with a compatible oid representation
for the RSA-based signatures, but don't care either
way on the dsa-with-sha1 representation.

I wanted to make one comment:

EKR had posted a note regarding a digest subsitution 
attack based on the fact that DSA signatures do not include 
the digest OID in them, whereas PKCS-1 format
RSA signatures do, and are not susceptible.

Using the combined OID dsa-with-sha1 does not
address this problem for DSA,
since the combined oid is still not under the 
"stronger" portion of the signature (raw DSA).
[That is, if there is any digest that is
permissible to be used with DSA that is at
some point compromised to the extent Eric mentions, 
then the message, digest value, and the combined oid can
still be substituted. This is another minor botch in the
DSS design: it is DSA applied to the pure digest value.]

Putting the oids in the authenticated attributes field
wouldn't help either since it is only digested.
Yes, that is correct. The CMS spec must say that
DSS must be used with SHA-1 only. This can only
be enforced by specsmanship, not by OIDs.

However, once we've made that decision, as a matter of 
form, one shouldd use dsa-with-sha-1 as the oid since
to do otherwise suggests that digests are subsitutible
with DSA when in fact they are not. That was the 
point I was trying to make.


[Eric Rescorla                             Terisa Systems, Inc.]
                "Put it in the top slot."

<Prev in Thread] Current Thread [Next in Thread>