On Wed, Sep 28, 2016 at 06:40:57AM -0400, Alfonso De Gregorio wrote:
If you are able to generate colliding signatures for a target (chosen) key, this may amount to an impersonation attack, depending on the exact origin authentication checks -- which may be considered even worse than a repudiation issue.
No, I didn't claim this.
If what you can do is to generate two new key pairs, where the signatures made by first can be verified as signed by the second (or viceversa), then this provides plausible deniability, and the possibility to repudiate any valid signature made by any of the affected signing keys.
Yes, exactly what I claimed. Posted the keys and x509 certificates, which can be verified with openssl. The keys (possibly except g=1) are not valid, but appear to be accepted by openssl without error. The certificates appear to be valid (not counting the key issues).