launchpad-dev team mailing list archive

Thread
Date

Re: Signing the code of conduct

To: Jonathan Lange <jml@xxxxxxxxxxxxx>
From: Andrew Bennetts <andrew.bennetts@xxxxxxxxxxxxx>
Date: Fri, 19 Mar 2010 10:44:49 +1100
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <d06a5cd31003181256y5f769eafw14ad2910866bb16c@mail.gmail.com>
User-agent: Mutt/1.5.20 (2009-06-14)

Jonathan Lange wrote:
> >From https://edge.launchpad.net/codeofconduct/1.1/+sign:
> 
> "If you want to, add extra spaces or blank lines between words in the
> file. (This helps protect against other people trying to forge your
> signature.)"
> 
> What?

IIRC, It's a protection against a
<http://en.wikipedia.org/wiki/Birthday_attack>.  The concern is that the text
you are being asked to sign may have been specifically chosen because it will
hash identically to a malicious document that says e.g. “By GPG-signing this
document I authorise EvilCorp to empty my bank accounts and own my first-born
child.”

So by making cosmetic changes to the input you make it (even more) unlikely that
someone can take your signature of the CoC and make a fake signature of another
document you never signed.

For maximum paranoia, make sure to use a cryptographically secure PRNG to
determine the whitespace to add :)

-Andrew.

Follow ups

Re: Signing the code of conduct
From: Aaron Bentley, 2010-03-19

References

Signing the code of conduct
From: Jonathan Lange, 2010-03-18