[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: multiple digitale signatures
SM-vnke Maseberg <maseberg@xxxxxxxxxxxxxxxx> writes:
>But I want to point out, that there is no signature algorithm that is
>proofable secure. Yes, the established algorithms are analysed and they seem
>to be secure, but we cannot exclude the sudden compromise of a signature
>algorithm. On the other hand a lot of companies, banks or governments rely on
>PKI technologies. What would happen if a failure occurs?
What will happen depends on the signature algorithm which is compromised:
RSA: The entire world will find out. It'll be on the evening news, and the
front page of most papers. As yet undiscovered tribes in the jungles of
Borneo will have missionaries hacking their way through the undergrowth
just to tell them.
DSA: The few government users who care will read about it in Government
Computer News and keep using it anyway while they await orders from on
high on what to do next. NIST will convene a standards group to look
into the matter with a preliminary draft due in early 2003. ANSI will
also work on resolving this with a draft due in 2003, but it won't
actually be published until 2012. Neither of these versions will be
even remotely compatible with any existing work. Leaked, obsolete
copies will be incorporated in part into some RFCs.
X9.42 DH (which isn't actually a signature algorithm anyway), various ECCs, and
others: In 6-12 months there will be a paper in Crypto or Eurocrypt which
cryptographers will agree is a brilliant attack and which everyone else
will ignore completely.
I can't see that any of these cases require the introduction of any complex new
dual-signature mechanism to augment them. If there's a sudden compromise
(which, as others have pointed out, is incredibly unlikely), it'll be handled
through standard channels. End of story, now we can get back to debating how
many name constraints can fit on the head of a pin.
Peter.