DSA2

[Lionel Elie Mamane]

On Fri, Sep 29, 2006 at 03:35:20AM -0500, Robert J. Hansen wrote:
> Lionel Elie Mamane wrote:

>>>  - DSA does not support "firewalled hashes"

>> Not exactly. Version 3 DSA signatures lack a hash firewall. But
>> version 4 DSA signatures do have a hash firewall. The version refers
>> not to a version of DSA itself, but the version of the OpenPGP packet
>> format being used.

> if memory serves we can talk about one set of versions for keys, and
> another set of versions for signatures, etc., etc.

Exactly.

> It is my understanding--and I would welcome being pointed to
> language in the RFC showing that I am wrong--that v4 DSA keys lack a
> satisfactory hash function firewall.

I'm not talking about v4 DSA _keys_ but about v4 _signatures_ issued
by DSA keys. And, to quote an email from an earlier discussion with
you (on the PGP-Basics ML, Message-ID:
<20050905141121.GB22994 at tofu.mamane.lu>):

§5.2.4 of the RFC:

 Once the data body is hashed, then a trailer is hashed. A V3 signature
 hashes five octets of the packet body, starting from the signature
 type field. This data is the signature type, followed by the
 four-octet signature time.

and

                            A V4 signature hashes the packet body
 starting from its first field, the version number, through the end of
 the hashed subpacket data. Thus, the fields hashed are the signature
 version, the signature type, the public key algorithm, the hash
 algorithm, the hashed subpacket length, and the hashed subpacket
 body.


So, the signed data contains (via a hash) the hash algorithm, which
constitutes a hash function firewall. Do you have any argument to say
it is not "satisfactory"?

-- 
Lionel