Dear Lazyplus,

It strikes me that using the same signing key to sign messages of different types -- say, ASCII text and protobuf -- is extremely problematic: a message could mean one thing when interpreted as ASCII and something entirely different when interpreted as protobuf. It seems that to prevent this problem, you would have to make sure that whenever you generate a new keypair, you designate it for signing only a specific format of message, and never accept signatures using this key with any other format.

For example, it would be dangerous to use the same RSA key to sign emails and to authenticate SSH, as the SSH server mostly controls the content of the message that you must sign when authenticating.

Surely this is a widely-understood problem in public-key cryptography, but I don't recall seeing the problem discussed before, and I'm not sure what to Google. Can anyone point me at any references? How does e.g. PGP handle this?

+Zooko Wilcox-O'Hearn+Tony Arcieri+Yan X. Z, and +Ryan Sleevi seem like people who would know...
Shared publiclyView activity