Notices where this attachment appears
-
Embed this notice
Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:22 JST 
Soatok Dreamseeker
This contrived dialogue may have tripped alarms in your mind, even if you're not a nightmare magic math specialist.
If so, this is the same kind of "oh noooooo" I feel whenever a protocol decides which algorithm to use based entirely on potentially attacker-controlled data.
Grabbing the algorithm from a message signature? Bozo bit flipped!
Grabbing the public key from the message signature? I'm over the moon. (Session does this, even though there's an external bit of logic binding it to the user's long-term birationally equivalent X25519 public key.)
The only acceptable way to do this is:
- Have a randomly generated Key ID that points to a specific keypair.
- Include this Key ID in the data being authenticated.
- To figure out the algorithm to use for a given key, consult the key (not the signature or message).
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.