[cryptography] Is it just me or is this fundamentally broken?

Peter Saint-Andre stpeter at stpeter.im
Mon Mar 4 20:24:46 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/4/13 4:42 PM, Peter Gutmann wrote:
> Quoting http://xmpp.org/extensions/xep-0027.html#signing:
> 
> Signing enables a sender to verify that they sent a certain block
> of text. [...] The text that is signed MAY be the empty string.
> 
> (There's no metadata or anything there, just a raw signature).

No one uses XEP-0027 these days, they all use OTR. The PGP integration
with XMPP clients was an early experiment in the Jabber community
before we even called it XMPP. Think 13+ years ago. But clients never
signed empty strings, although we never fixed the spec because no one
was using the technology. I'll push to make the spec Obsolete.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRNUldAAoJEOoGpJErxa2pTEIQAIGMstyjlTE1v4pX8IyXxF0j
9TkcIqPKvJmUwM+SRC5cFic/FarOATXezkJPypxwjvscmcGmVKxMVDBT1PAjssnM
kjJFLSU6f93ujySIS/BEfGbV5KbjTSOwqAvhiORYpQ5Mt2Cl9h/kIvfElBf7zDbf
Bgt8gRT4fGQwYaEMNJH+0eBbvFuvRMYbyh8J/lD9sbCEmcXAFYfS6WxfSAEb2Zrm
lefAKYlHP+t6gzXJHrCFGG4JPNP8k37nwDsIp/SW4d/VOu3HYjZAd8Xe1y+hpKZM
lETcDM7HBCr0hGs3OSh9K/qmlkV8vvShROf0+khZvdeXiuuUuWuhjmnhG9urqt2S
uHUOUv1q0BnnScDOT4VQJ31pdOdb3iJ5JedlgYJijV26JO94Ams3TadTIQfPoRa4
uzByU7E8lCtcwd6+tBoGLr+9S8spESsmRj3OAOsQuPUl1nOrjEO1rWbQE/e3HXgp
dUfFZKIQGwrJRFK9MsR2JQVPKGwsi3Y7BdqsqkKx9ozAoWu3LRuqBdeEgT0eTlb6
st1tMCNGsZtk8ZUFeXYhmbGRJJPfcRotPom3r564tvBTCM/m0bu7VIuJaS24Mu4U
GnRCIHxZiLY5yBL7EVCqabdUihLmLiYaF/Nu/VgikaxDv+IXyKoe+qYiWj6ppyN1
W0xarAcz2tF8RSYoGWZy
=mfUh
-----END PGP SIGNATURE-----



More information about the cryptography mailing list