On Wed, Dec 7, 2016 at 3:34 PM, Bjarni Runar Einarsson <b...@pagekite.net> wrote: > > Trevor Perrin <tr...@trevp.net> wrote: >> On Wed, Dec 7, 2016 at 11:36 AM, Bjarni Runar Einarsson >> <b...@pagekite.net> wrote: >> >> You're relying on a different property: An attacker given >> (public key, message, signature) can't output a *different* key >> pair with a public key that also verifies the message. > > Not "the message"... "all the messages." > > The threshold is trivially configurable. Does that change > anything, or is it all the same? Or does nobody know since it > hasn't been well studied?
It definitely changes things, and probably obstructs a lot of the attacks, but I don't think it's well studied. There might be other tricks like setting the DSA modulus q to a tiny value that would let you brute-force search for a key pair that verifies multiple signatures, if the final comparison is done mod q. However that would give suspicious public keys that are more likely to be rejected, so a lot depends on the verification software. >> But this is still a confused and risky use of signatures, IMO. > > I see. How would you recommend I determine whether the whole > scheme is dangerous and should be abandoned, or if it's still > better than the status quo? I think it's best to just include the public key or hash of the public key directly in the message, if you want the message to uniquely identify a public key. According to Max this is now being done - GnuPG signature packets now contain a SHA-1 fingerprint of the public key - though I don't see it in Werner's latest draft [1]. Of course, if you do that, then you can just rely on the fingerprint, not the signature, to identify the public key, so that isn't really an argument for signatures. Trevor [1] https://tools.ietf.org/html/draft-koch-openpgp-rfc4880bis-02 _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
