If the recipient has confidence in the hash algorithm, I do not see
any problem with the current documents. I think that implementations
are going to need to be modified to provide an interface for users to
indicate which ones are acceptable and which ones are not. The
default setting will be vital.
At 11:38 PM 4/17/2006, Jim Schaad wrote:
In the process of reviewing documents dealing with multiple signature
processing, I suddenly realized that we currently do not have any attribute
which lets us verify that the correct digest and signature algorithms have
been used in verifying a SignerInfo. The question is do we need to do this?
More details on what I mean:
When you create a signer info you:
1. Hash the body of the message, place the digest value as a signed
attribute and the digest algorithm into the SignerInfo structure in an
2. Create the sequence of signed attributes, hash the value, create a
signature value using your private key and place the signature algorithm and
the signature in unprotected locations.
The signature does not need any additional protection, however one could
change the digest algorithms being used in both the signature and body
digest locations without a verifier being able to know that it has happened.
The attack I envision would be to find a body that has a digest of the same
length, but uses a different algorithm and update the SignerInfo structure
with the new digest algorithm data and the body with the updated body. This
would currently be undetectable by a verifier.