- From: Eric Rescorla <ekr@rtfm.com>
- Date: Mon, 08 May 2000 09:06:07 -0700
- To: "Joseph M. Reagle Jr." <reagle@w3.org>
- cc: tgindin@us.ibm.com, "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
> At 08:32 AM 5/8/00 -0700, EKR wrote: > >tgindin@us.ibm.com writes: > >> I think we should change, and not solely for consistency reasons. > >> Although the DSS specifies SHA-1, it would be fairly easy to use a DSA > key > >> with RIPEMD-160, and people might well call that signature algorithm > >> "dsa-ripe". > >We've been over this ground a number of times already. This doesn't > >work. There's a substitution attack on DSA unless the standard > >clearly specifies which digest algorithm to use [1]. > > Does this preclude us from changing the name for consistency sake. (Granted, > we do need to specify a single algorithm for interoperability and security, > but does that mean we shouldn't represent it as part of its ID?) No, but if you're going to do it that way then add the following text: IMPORTANT: DSA is subject to a digest substitution attack. For this reason, in DSIG the DSA algorithm MUST only be used with SHA-1, as specified in [DSS]. -Ekr
Received on Monday, 8 May 2000 12:05:08 UTC