launchpad-dev team mailing list archive

Thread
Date

Re: Signing the code of conduct

To: Andrew Bennetts <andrew.bennetts@xxxxxxxxxxxxx>
From: Aaron Bentley <aaron@xxxxxxxxxxxxx>
Date: Fri, 19 Mar 2010 00:00:23 -0400
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <20100318234449.GO14474@steerpike.home.puzzling.org>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bennetts wrote:
> So by making cosmetic changes to the input you make it (even more) unlikely that
> someone can take your signature of the CoC and make a fake signature of another
> document you never signed.

Doesn't the fact that whitespace is ignored make it easier to forge a
CoC signature via a "birthday attack"?  You sign another document, and
then the attacker forges a CoC signature by inserting whitespace in the
CoC until the checksums match...

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkui9tMACgkQ0F+nu1YWqI2MvgCeKKrHXkc+DX79PcGSSbzH/pro
n+gAnAv70tE0NTyhfkH0biItlMB7nQ4b
=yO2H
-----END PGP SIGNATURE-----

Follow ups

Re: Signing the code of conduct
From: Andrew Bennetts, 2010-03-19

References

Signing the code of conduct
From: Jonathan Lange, 2010-03-18
Re: Signing the code of conduct
From: Andrew Bennetts, 2010-03-18