[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: public key algorithm naming

To: EKR <ekr@terisa.com>
Subject: Re: public key algorithm naming
From: Carl Ellison <cme@Cybercash.COM>
Date: Tue, 07 Apr 1998 10:46:09 -0400
Cc: fredette@theory.lcs.mit.edu (Matt Fredette), spki@c2.net
In-Reply-To: <3ogyelfij.fsf@kmac.terisa.com>
References: <fredette@theory.lcs.mit.edu's message of "Mon, 6 Apr 1998 18:10:37 -0400 (EDT)"><199804062210.AA02783@magpie.lcs.mit.edu>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 04:03 PM 4/6/98 -0700, EKR wrote:
>fredette@theory.lcs.mit.edu (Matt Fredette) writes:
>> > Message-Id: <3.0.3.32.19980314020906.00a55100@cybercash.com>
>> In a conversation Carl and I had at IETF, he remarked that he had convinced
>> Eric Rescorla that the signature encoding algorithm does need to be part
>> of a key's name.  Here's the argument: if encoding algorithm could be 
>> specified on a signature-by-signature basis, I might construct a new, 
>> not-unreasonable encoding algorithm that, with certs of my choosing, lets
>> me reuse your RSA-PKCS1 signatures as signatures using my marvelous new
>> encoding.
>Matt, I'm having a really hard time reading your message to see
>what it is you currently believe. Is the above text a quote or
>your current position?
>
>In any case, I do NOT agree that the signature encoding algorithm
>needs to be part of a key's name. PKCS-1 itself prevents the
>substitution attack, as I believe I indicated at IETF.


Eric,

	Matt's wording was a little muddled here.  PKCS-1 *is* the encoding
algorithm he was talking about.

	What you and I agreed was that the PKCS-1 needs to be specified.  If all 
you specify is "rsa", then I have an unpacking algorithm that can pull the 
hash of my own construction out of an RSA-PKCS1 block.


[...]

>There's another quibble I have with all of this: PKCS-1 is both
>a message padding AND a format for RSA key encoding. But PKIX does
>NOT use the PKCS-1 RSA key encoding. Consequently, having a 
>key tagged as rsa-pkcs1 seems kind of confusing.

Are you suggesting we should write and name our own packing algorithm?

What does PKIX call its algorithm?

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNSo8MBN3Wx8QwqUtAQEEeQP+KYZKA2r200Ip2weK2wR3LMIZtJ9Rhrg1
yhi0nJ+RZKMe2/IZx5CuOTR9aAbqvFHdT6EO0i9sht879QvFTkx8k/RCoqx04Jst
i6R72G6+zdhlrwoLaEU3Qbz3CNySWgp+hSiYXff/gk6i1Vx+kUhMYosZYbnVingg
VwCpvYHygkk=
=eHU6
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

References:

Re: public key algorithm naming

From: fredette@theory.lcs.mit.edu (Matt Fredette)

Re: public key algorithm naming

From: EKR <ekr@terisa.com>

Prev by Date: Re: public key algorithm naming
Next by Date: Re: public key algorithm naming
Prev by thread: Re: public key algorithm naming
Next by thread: Re: public key algorithm naming
Index(es):
- Main
- Thread