Commit 0bce0161 authored by Nick Mathewson's avatar Nick Mathewson 🦀
Browse files

Revise proposal 162: SHA256(x), not SHA256(SHA256(x)) 

The point of doing SHA256 twice is, generally, is to prevent message
extension attacks where an attacker who knows H(A) can calculate
H(A|B).  But for attaching a signature to a document, the attacker
already _knows_ A, so trying to keep them from calculating H(A|B) is
pointless.
parent 34710574

doc/spec/proposals/162-consensus-flavors.txt

+4 −5
Original line number Diff line number Diff line
@@ -148,11 +148,10 @@ Spec modifications: 
    4.1. The "sha256" signature format.



    The 'SHA256' signature format for directory objects is defined as

    the RSA signature of the OAEP+-padded SHA256 digest of the SHA256

    digest of the item to be signed.  When checking signatures,

    the signature MUST be treated as valid if the signature material

    begins with SHA256(SHA256(document)); this allows us to add other

    data later.

    the RSA signature of the OAEP+-padded SHA256 digest of the item to

    be signed.  When checking signatures, the signature MUST be treated

    as valid if the signature material begins with SHA256(document);

    this allows us to add other data later.



Considerations: