Re: public key algorithm naming

[Hal Finney <hal@rain.org>]

If you don't put the hash algorithm in the key, then if there were a
weak hash algorithm, people could forge signatures using that hash.
They could take an existing signature and create a structure which hashes
to the same value using the weak hash.

The same thing could happen of course if the key had a weak hash
algorithm, but probably there are fewer keys than signatures, hence more
opportunities to use weak hashes if it is in the signature.  Someone can
create his key with a strong hash algorithm and be sure that no hash
substitutions are possible.

If a hash is discovered to be weak, then either the key holder can replace
it in his key, or the verifier can know to ignore signatures with the
bad hash.  If hashes are in the signatures then only the latter course
is available, so there is one less way to recover.

Hal

---

Follow-Ups:

• Re: public key algorithm naming
• From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
• Re: public key algorithm naming
• From: Carl Ellison <cme@cybercash.com>

---

• Prev by Date: Re: The role of trust in certification
• Next by Date: Re: public key algorithm naming
• Prev by thread: public key algorithm naming
• Next by thread: Re: public key algorithm naming
• Index(es):
  • Main
  • Thread