[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: public key algorithm naming


At 04:03 PM 4/6/98 -0700, EKR wrote:
>fredette@theory.lcs.mit.edu (Matt Fredette) writes:
>> > Message-Id: <>
>> In a conversation Carl and I had at IETF, he remarked that he had convinced
>> Eric Rescorla that the signature encoding algorithm does need to be part
>> of a key's name.  Here's the argument: if encoding algorithm could be 
>> specified on a signature-by-signature basis, I might construct a new, 
>> not-unreasonable encoding algorithm that, with certs of my choosing, lets
>> me reuse your RSA-PKCS1 signatures as signatures using my marvelous new
>> encoding.
>Matt, I'm having a really hard time reading your message to see
>what it is you currently believe. Is the above text a quote or
>your current position?
>In any case, I do NOT agree that the signature encoding algorithm
>needs to be part of a key's name. PKCS-1 itself prevents the
>substitution attack, as I believe I indicated at IETF.


	Matt's wording was a little muddled here.  PKCS-1 *is* the encoding
algorithm he was talking about.

	What you and I agreed was that the PKCS-1 needs to be specified.  If all 
you specify is "rsa", then I have an unpacking algorithm that can pull the 
hash of my own construction out of an RSA-PKCS1 block.


>There's another quibble I have with all of this: PKCS-1 is both
>a message padding AND a format for RSA key encoding. But PKIX does
>NOT use the PKCS-1 RSA key encoding. Consequently, having a 
>key tagged as rsa-pkcs1 seems kind of confusing.

Are you suggesting we should write and name our own packing algorithm?

What does PKIX call its algorithm?

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |