-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Samuel" == Samuel Weiler <[EMAIL PROTECTED]> writes:
>> Why? (The rest is just commentary on the DS option...)
Samuel> Because it may be useful for the child to select the DS
Samuel> digest algorithm, the DNSKEY option (in this draft) has no
Samuel> way to specify the digest, and allowing the child to send DS
Samuel> (by keeping the dsData element) seems simpler than adding a
Samuel> new element to the key spec.
Why does the child get to decide this?
This seems wrong to me.
Consider an attack on a signing algorithm where private data can be
revealed by careful selection of text to be signed.
(To be clear, I don't know of such an exact attack, although I recall
there was an implementation bug that had a simliar effect. I'm sorry, I
don't recall the details)
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQa0wY4qHRg3pndX9AQEtUQP7B5Ci1IFB7kYDsw3q9mVBRFK+MpG3J4fD
V53S8MTMGVyyfFFSN69TJh0UKR4NKAtjZJhmY0tejriJ4jf52E6A83uz8oracz2e
kT7SKKjogZaXzIxdtbsdp8xSTsTw7H5VbylMltEHX3w3W4yAFmyZrIlB6ygd2v84
tFzIQtOSVaM=
=XbfI
-----END PGP SIGNATURE-----
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
