- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Sat, 10 Jun 2017 15:47:55 +0100
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, freddyb@mozilla.com, Francois Marier <francois@mozilla.com>, Joel Weinberger <joel.weinberger@gmail.com>, Brad Hill <hillbrad@gmail.com>
On 10 June 2017 at 06:04, Jeffrey Yasskin <jyasskin@google.com> wrote: > I'm certainly not a cryptography expert, but I read in > https://tools.ietf.org/html/rfc8032#section-4, "Note that single-pass > verification is not possible with most uses of signatures, no matter > which signature algorithm is chosen. This is because most of the > time, one can't process the message until the signature is validated, > which needs a pass on the entire message." The draft I cited includes a method for signing partial messages. The trade-off is that it's trivially vulnerable to truncation attacks, much in the same way that HTTP responses over TLS can be cut off. So both things are true. Generally, you want a signature over a thing to be completely verified before you use it in *any* way, so what RFC 8032 says is entirely appropriate.
Received on Saturday, 10 June 2017 14:48:30 UTC