[Dnssec-deployment] Algorithm downgrades - do they matter in DNSSEC? was Re: Some more sinners
Ed.Lewis at neustar.biz
Mon Sep 12 09:18:07 EDT 2011
At 13:04 +0000 9/12/11, Florian Weimer wrote:
>I should have been explicit--"collides with megacorp.example and its DS
>RRset where you know at least one private key". This is what happened
>with the MD5-based attack on X.509 certificates (collisions with
>different, but meaningful prefixes).
What this means is that you have a private key K1 that with data D1
can generate signature S1. And someone out there has key K2 that
with data D2 can generate signature S1.
How do K1 and K2 relate? I assume that if you sign D2 with K1 you
wouldn't get S1.
NeuStar You can leave a voice message at +1-571-434-5468
Vote for the word of the day:
"Papa"razzi - father that constantly takes photos of the baby
Corpureaucracy - The institution of corporate "red tape"
More information about the Dnssec-deployment