Eric Rescorla wrote:
At Thu, 24 Jul 2008 17:09:17 -0400,
Bruce Lowekamp wrote:
Cullen Jennings wrote:
This issues is brought up in section 7.1
_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip
For those who haven't looked, the question is whether we need to include
the signer's identity in the data signature input. The draft currently
does not. I'm not aware of any reason to do so (assuming reasonble
numbers of bits being used for the keys).
So, the usual rationale here is to prevent substitution attacks.
For instance, an attacker gets a certificate with your public
key but his name and then takes a message you signed and rebadges
it as a message he wrote. It's not clear that this is useful in any
practical setting, but since it's not expensive to prevent, I was sort of
thinking it was worth doing.
I'm not terribly motivated to protect against a failure of the CA
(especially since it seems like there are lots of attack vectors if you
can do this), but I agree that it's not really expensive, either.
Bruce
_______________________________________________
P2PSIP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/p2psip
