On Thu, Aug 13, 2015 at 3:11 PM, Phillip Hallam-Baker <[email protected] > wrote:
> I'd agree, this is a conceptual misuse of digital signatures. While >> creating a signature algorithm resistant to this is a "neat trick" much >> like nonce reuse resistant AEAD schemes, you shouldn't design protocols >> that rely on that resistance in either case. >> > > [...] People need to change their attitudes. We are designing building > blocks that are going to be used by pin heads as well as geniuses. And on > occasion the genius is going to build something on a bad day. The harder it > is to screw up, the better. > In case I was unclear, I support the creation of schemes that take the sharp edges off, hence the hat tip to nonce reuse-resistant AEAD. In fact I have participated in the development of and tried to popularize libraries that try to remove as many sharp edges as possible, such as libsodium. The caveat I gave was that protocol designers shouldn't assume those sharp edges aren't present. I think you'll find most digital signature algorithms break under the assumption that two keys can't produce the same digital signature. -- Tony Arcieri
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
