Florian Weimer wrote: > And you better randomize some bits covered by RRSIGs on DS RRsets. > Directly signing data supplied by non-trusted source is quite risky. > (It turns out that the current signing schemes have not been designed > for this type of application, but the general crypto community is very > slow at realizing this discrepancy.)
Could you elaborate? I'm not sure what you're referring to or why it would be quite risky to sign unrandomized messages. Modern, well-designed signature schemes are designed to resist chosen-message attack. They do not require the user of the signature scheme to randomize the messages to be signed. I'm not sure what discrepancy you're referring to. Back to DNSSEC: The original criticism was that "DNSSEC has covert channels". So what? If you're connected to the Internet, covert channels are a fact of life, DNSSEC or no. The added risk due to any covert channels that DNSSEC may enable is somewhere between negligible and none, as far as I can tell. So I don't understand that criticism. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com