Gregory's Server@cwebber As an amateur cryptographer: I don't think length extension is an issue, since it lets an attacker calculate h(M+padding+suffix) from h(M) without knowing M, but M is already public. (The truncation also defends against length extension, and I think the padding would fail to parse as valid JSON.)
The truncation itself makes no sense to me, but attacking someone else's did:plc is a preimage attack. 120 bits is below the usual "128-bit security level", but maybe fine-for-now... except you can attack all 20 million accounts in parallel, lowering the cost of attack to 2**96! I'm not sure you can do much with the colliding did:plc without also being/impersonating the PLC server... but the future organization they're defending against could still be the PLC server.
So on the one hand: Maybe not a huge issue in practice. On the other: I think it's an inexcusable flaw in a cryptographic design, especially when there's no rationale given.
@cwebber Finally, IIUC the "malleable deputy" vulnerability isn't really due to the *truncation*: It would have also happened with support for multiple hashes, e.g. hypothetically did:sha256 vs. did:sha512, or even did:sha224 (which is the "correct" way to truncate SHA-255). Or if they messed up case-sensivity somewhere and let you register a capitalized version of an existing did:plc.
I might call it some sort of aliasing attack?
(There's another world where you could potentially generate aliases via the padding bits in the last base32 character if the truncated comparison was done after converting to binary, but in this particular case you can't because it's truncated to a multiple of 8 characters/40 bits.)
@cwebber Finally, IIUC the "malleable deputy" vulnerability isn't really due to the *truncation*: It would have also happened with support for multiple hashes, e.g. hypothetically did:sha256 vs. did:sha512, or even did:sha224 (which is the "correct" way to truncate SHA-255). Or if they messed up case-sensivity somewhere and let you register a capitalized version of an existing did:plc.