Aaron Bentley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrew Bennetts wrote: > > So by making cosmetic changes to the input you make it (even more) unlikely > > that > > someone can take your signature of the CoC and make a fake signature of > > another > > document you never signed. > > Doesn't the fact that whitespace is ignored make it easier to forge a > CoC signature via a "birthday attack"? You sign another document, and > then the attacker forges a CoC signature by inserting whitespace in the > CoC until the checksums match...
I don't think Launchpad allow third parties to upload signed CoCs on your behalf, but that doesn't really matter... That argument applies to any GPG signed document, not just a whitespace-tweaked CoC. In principle I could take the GPG signature you put on the email I am replying to, write “I, Aaron Bentley, am Wrong on the Internet(TM)” and just keep adding whitespace until the checksums match... That said, I share Martin's point of view that this is all pretty academic and unnecessary for Launchpad to bother users with. -Andrew. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
