|
|
|
|
|
|
by fanf2
2082 days ago
|
|
|
If I understand the article correctly this isn't a problem for uses of Ed25519 in systems like DKIM or DNSSEC. These Ed25519 interop problems only arise with maliciously crafted keys and nonces. This is a problem for consensus systems (like Zcash in the article) because the signature is recorded and needs to be verified by many parties, and if a malicious signature it tickles an interop bug it can maybe (handwave) force third parties to treat the blockchain as invalid, or something like that. But in the context of DKIM if a sender generates a signature that a recipient can't validate, by using buggy key generation code that produces small cofactors or noncanonical encodings, only the sender suffers pain. |
|
|