Re: DSA and RSA AlgIDs from EKR on 2000-05-08 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: EKR <ekr@rtfm.com>
Date: 08 May 2000 08:32:38 -0700
To: tgindin@us.ibm.com
Cc: "Joseph M. Reagle Jr." <reagle@w3.org>, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
Message-ID: <kjzoq1jbvt.fsf@romeo.rtfm.com>

tgindin@us.ibm.com writes:
>      I think we should change, and not solely for consistency reasons.
> Although the DSS specifies SHA-1, it would be fairly easy to use a DSA key
> with RIPEMD-160, and people might well call that signature algorithm
> "dsa-ripe".
We've been over this ground a number of times already. This doesn't
work. There's a substitution attack on DSA unless the standard
clearly specifies which digest algorithm to use [1].

Check the archives 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/1999OctDec/0079.html
and sequelae for a description of the attack.

-Ekr

[1] Except that if you use an extension of DSA with a longer q
then you can use different digest algorithms for each size of q.

-- 
[Eric Rescorla                                   ekr@rtfm.com]
          PureTLS - free SSLv3/TLS software for Java
                http://www.rtfm.com/puretls/

Received on Monday, 8 May 2000 11:31:47 UTC