> At 08:32 AM 5/8/00 -0700, EKR wrote: > >tgindin@us.ibm.com writes: > >> I think we should change, and not solely for consistency reasons. > >> Although the DSS specifies SHA-1, it would be fairly easy to use a DSA > key > >> with RIPEMD-160, and people might well call that signature algorithm > >> "dsa-ripe". > >We've been over this ground a number of times already. This doesn't > >work. There's a substitution attack on DSA unless the standard > >clearly specifies which digest algorithm to use [1]. > > Does this preclude us from changing the name for consistency sake. (Granted, > we do need to specify a single algorithm for interoperability and security, > but does that mean we shouldn't represent it as part of its ID?) No, but if you're going to do it that way then add the following text: IMPORTANT: DSA is subject to a digest substitution attack. For this reason, in DSIG the DSA algorithm MUST only be used with SHA-1, as specified in [DSS]. -EkrReceived on Monday, 8 May 2000 12:05:08 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:09 GMT