From bd0685765dd84550ea0c71c230d8d18c739d8b34 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 23 Sep 2009 11:45:54 -0400
Subject: Revise proposal 162: SHA256(x), not SHA256(SHA256(x))

The point of doing SHA256 twice is, generally, is to prevent message
extension attacks where an attacker who knows H(A) can calculate
H(A|B).  But for attaching a signature to a document, the attacker
already _knows_ A, so trying to keep them from calculating H(A|B) is
pointless.
---
 proposals/162-consensus-flavors.txt | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'proposals/162-consensus-flavors.txt')

diff --git a/proposals/162-consensus-flavors.txt b/proposals/162-consensus-flavors.txt
index 56a0b0e..e257205 100644
--- a/proposals/162-consensus-flavors.txt
+++ b/proposals/162-consensus-flavors.txt
@@ -148,11 +148,10 @@ Spec modifications:
     4.1. The "sha256" signature format.
 
     The 'SHA256' signature format for directory objects is defined as
-    the RSA signature of the OAEP+-padded SHA256 digest of the SHA256
-    digest of the item to be signed.  When checking signatures,
-    the signature MUST be treated as valid if the signature material
-    begins with SHA256(SHA256(document)); this allows us to add other
-    data later.
+    the RSA signature of the OAEP+-padded SHA256 digest of the item to
+    be signed.  When checking signatures, the signature MUST be treated
+    as valid if the signature material begins with SHA256(document);
+    this allows us to add other data later.
 
 Considerations:
 
-- 
cgit v1.2.3-54-g00ecf