Re: Re: What the verifier can do

Paul Hoffman <phoffman@xxxxxxxxxx> writes:

> At 11:22 AM -0700 4/30/06, Eric Rescorla wrote:
>>Yes, but it's a bad idea to design systems assuming that's going
>>to be the only algorithm you ever use.
>
> We are explicitly *not* designing this system to use heuristics that
> would cause multiple rounds. My assertion is that if an implementation
> wants to do it, it can. Along with that assertion is the fact that,
> with all the algorithms defined in the document and the assumption
> that we are unlikely to change them except in a cryptographic
> emergency, the expensive operations (asymmetric signing and verifying)
> only need to happen once.
>
>>Sure, but what happens when you want to use ECDSA because you're
>>worried about key size constraints?
>
> Then you decide if your actions that go beyond the spec are worth it
> for you in terms of effort.

Better to design a system that doesn't require people to make
that kind of tradeoff. In this case, that could be easily
done by including a copy of the unsigned digest along with
the signature.

-Ekr