Implementation question: validating left two of signatures
brian m. carlson
sandals at crustytoothpaste.net
Fri Aug 12 21:27:50 CEST 2011
I have a quality-of-implementation question (more in general than
specifically about GnuPG). I am writing an implementation of OpenPGP
that verifies signatures, among other things.
Signatures contain the left two bytes of the hash as a quick check.
I've noticed that a small number of signatures are in fact valid even
though this quick check does not match the hash. Is it considered
acceptable to fix up this value if it is wrong? If not, is it
acceptable to treat two signatures as the same signature if they are
identical but for the left two? Does GnuPG (or any other
implementation) actually give any credence to the left two whatsoever?
If there's an OpenPGP implementers' list or another, more appropriate
forum, please feel free to point me in that direction. I couldn't find
one, so I posted here.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110812/e024f26a/attachment.pgp>
More information about the Gnupg-users
mailing list