On Mon, Jun 1, 2015 at 8:50 AM, David Howells wrote:
> Andy Lutomirski wrote:
>
>> > You can also fudge the signature (or a hash) by adding extra data to or
>> > modifying the data blob and by switching signature values between signature
>> > blobs.
>>
>> So there's another design error in
Andy Lutomirski wrote:
> > You can also fudge the signature (or a hash) by adding extra data to or
> > modifying the data blob and by switching signature values between signature
> > blobs.
>
> So there's another design error in PKCS#7? Great!
No. This applies to *all* signatures where
Andy Lutomirski l...@amacapital.net wrote:
You can also fudge the signature (or a hash) by adding extra data to or
modifying the data blob and by switching signature values between signature
blobs.
So there's another design error in PKCS#7? Great!
No. This applies to *all* signatures
On Mon, Jun 1, 2015 at 8:50 AM, David Howells dhowe...@redhat.com wrote:
Andy Lutomirski l...@amacapital.net wrote:
You can also fudge the signature (or a hash) by adding extra data to or
modifying the data blob and by switching signature values between signature
blobs.
So there's
On Fri, May 29, 2015 at 5:40 AM, David Howells wrote:
> Andy Lutomirski wrote:
>
>> This is insecure because PKCS#7 authenticated attributes are broken (see
>> RFC2315 section 9.4 note 4). You need to either require that everything have
>> authenticated attributes or require that nothing have
Andy Lutomirski wrote:
> This is insecure because PKCS#7 authenticated attributes are broken (see
> RFC2315 section 9.4 note 4). You need to either require that everything have
> authenticated attributes or require that nothing have authenticated
> attributes. Maybe this insecurity doesn't
Andy Lutomirski l...@kernel.org wrote:
This is insecure because PKCS#7 authenticated attributes are broken (see
RFC2315 section 9.4 note 4). You need to either require that everything have
authenticated attributes or require that nothing have authenticated
attributes. Maybe this insecurity
On Fri, May 29, 2015 at 5:40 AM, David Howells dhowe...@redhat.com wrote:
Andy Lutomirski l...@kernel.org wrote:
This is insecure because PKCS#7 authenticated attributes are broken (see
RFC2315 section 9.4 note 4). You need to either require that everything have
authenticated attributes or
[resending with further gmane screwups fixed]
On 05/28/2015 08:48 AM, David Howells wrote:
Modify the sign-file program to take a "-F " parameter. The
name is a utf8 string that, if given, is inserted in a PKCS#7 authenticated
attribute from where it can be extracted by the kernel.
Modify the sign-file program to take a "-F " parameter. The
name is a utf8 string that, if given, is inserted in a PKCS#7 authenticated
attribute from where it can be extracted by the kernel. Authenticated
attributes are added to the signature digest.
If the attribute is present, the signature
[resending with further gmane screwups fixed]
On 05/28/2015 08:48 AM, David Howells wrote:
Modify the sign-file program to take a -F firmware name parameter. The
name is a utf8 string that, if given, is inserted in a PKCS#7 authenticated
attribute from where it can be extracted by the kernel.
Modify the sign-file program to take a -F firmware name parameter. The
name is a utf8 string that, if given, is inserted in a PKCS#7 authenticated
attribute from where it can be extracted by the kernel. Authenticated
attributes are added to the signature digest.
If the attribute is present, the
12 matches
Mail list logo
