- From: Martin Thomson <mt@lowentropy.net>
- Date: Wed, 08 Feb 2023 23:20:10 -0500
- To: ietf-http-wg@w3.org
On Wed, Feb 8, 2023, at 15:32, Justin Richer wrote: > First, it’s important to know that this attack relies on their being a > weakness in the underlying cryptographic primitive: Hi Justin, This is not a weakness in the cryptographic primitive. It is the result of a misunderstanding of what security properties are provided by a digital signature. Dennis explained it better than I could, so I would strongly recommend re-reading his emails and maybe the "seems legit" paper (the intro is basically all you need at this level). I've learned (again) just recently that these primitives have surprising sharp edges to them where our intuitions break down. This seems like an opportune moment to ask again for a formal security analysis of the draft. We have gotten feedback from two people (both of whose opinions I respect greatly on these subjects) that point to potential problems. This specific problem seems like something that a tool like tamarin could discover given careful prompting, but there are plenty of good alternatives that would be convincing.
Received on Thursday, 9 February 2023 04:20:45 UTC