W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2000

Re: DSA and RSA AlgIDs

From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 08 May 2000 09:06:07 -0700
Message-Id: <200005081606.JAA37953@romeo.rtfm.com>
To: "Joseph M. Reagle Jr." <reagle@w3.org>
cc: tgindin@us.ibm.com, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
> At 08:32 AM 5/8/00 -0700, EKR wrote:
>  >tgindin@us.ibm.com writes:
>  >>      I think we should change, and not solely for consistency reasons.
>  >> Although the DSS specifies SHA-1, it would be fairly easy to use a DSA
> key
>  >> with RIPEMD-160, and people might well call that signature algorithm
>  >> "dsa-ripe".
>  >We've been over this ground a number of times already. This doesn't
>  >work. There's a substitution attack on DSA unless the standard
>  >clearly specifies which digest algorithm to use [1].
>  
> Does this preclude us from changing the name for consistency sake. (Granted,
> we do need to specify a single algorithm for interoperability and security,
> but does that mean we shouldn't represent it as part of its ID?)
No, but if you're going to do it that way then add the following
text:

IMPORTANT: DSA is subject to a digest substitution attack. For this
reason, in DSIG the DSA algorithm MUST only be used with SHA-1, 
as specified in [DSS].

-Ekr
Received on Monday, 8 May 2000 12:05:08 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT