2.1 beta or release

David Leon Gil coruus at gmail.com
Sat Oct 25 20:55:38 CEST 2014


On Sat, Oct 25, 2014 at 2:16 PM, Werner Koch <wk at gnupg.org> wrote:
> On Sat, 25 Oct 2014 20:09, coruus at gmail.com said:
>
>> There is a very simple way to fix any problems: Require that a
>> specific digest algorithm be used. (Just pick SHA-2-256 or SHA-2-512
>
> It is your choice but GnuPG defaults to SHA-256 in this this case (and
> most others.

If you want to provide a choice, you need to ensure that the inputs to
Ed25519 are domain-separated; the mechanism provided in RFC4880 (which
is rather bulky) is adding an OID. (Consider, e.g., if Blake2s or
SHA3-256 are specified for use with OpenPGP: the problem of forging a
colliding signature reduces to the difficulty of finding a collision
for the weakest hash-function with the same output length.)

I would also be quite content with prepending or appending the name of
the hash function as a character string.

I am also reasonably hopeful that other implementations will not
support verifying Ed25519-SHA1/RIPEMD160 signatures.



More information about the Gnupg-devel mailing list