On Thu, Feb 16, 2006 at 12:43:09AM +0000, Stephen Farrell allegedly wrote: > Fair enough, but the problem is that the suggested scheme seems to > be vulnerable if the less desirable hash algs are broken for collisions. > That's exactly the problem seen with current hash functions. > > The signer might mark the rsa-md5 signature with "U=crap-alg" but the > attacker can happily generate a colliding message with no "U=" at all. > > Is the scheme still worthwhile if that's the case? Or, have I > misinterpreted your scheme?
I think you've mis-interpreted. The U= goes in the Selector of the downgraded algorithm, not the signature. Regardless of what the attacker does to the message, a verifier *has* to fetch a Selector. If that Selector tells the verifier that they are using a downgraded algorithm the verifier can act accordingly: ie accept the risk if that's the best they can verify or fail the verify if a higher grade sig isn't present. Mark. _______________________________________________ NOTE WELL: This list operates according to http://dkim.org/ietf-list-rules.html
