public key request
hozer at hozed.org
Tue May 24 11:24:15 PDT 2005
On Tue, May 24, 2005 at 01:49:54PM -0400, Clarke, Trevor wrote:
> Currently, opened.bml?openid.mode=getpubkey returns a DSA pubkey in
> SSLeay format. This should probably be changed. This is a deprecated
> compat format which has some issues....mostly, it has no hash or
> signature associated with it so it's easy to exploit a know DSA flaw.
> (replacing 2 of the parameters, getting a signature, deducing the
> private key from the result). It should really give an x509 cert (which
> would allow DSA or RSA). These are also much easier to work with as most
> DSA libraries don't support SSLeasy format PEM public keys (just sslway
> and openssl AFAIK and many openssl wrappers don't support it). Could lj
> start exporting a cert instead of a DSA pubkey? It's pretty easy to do
> so with openssl...there are many recipes on the net for creating
> self-signed certs.
I'll second the full x509 cert idea.
Having "real" x509 certs for all LJ users would be a real nice thing..
This would be a nice way to offer 'https://username.bloghost.com' as a
value-added service as well.
More information about the yadis