public key request

Clarke, Trevor tclarke at
Tue May 24 10:49:54 PDT 2005

Currently, opened.bml?openid.mode=getpubkey   returns a DSA pubkey in
SSLeay format. This should probably be changed. This is a deprecated
compat format which has some issues....mostly, it has no hash or
signature associated with it so it's easy to exploit a know DSA flaw.
(replacing 2 of the parameters, getting a signature, deducing the
private key from the result). It should really give an x509 cert (which
would allow DSA or RSA). These are also much easier to work with as most
DSA libraries don't support SSLeasy format PEM public keys (just sslway
and openssl AFAIK and many openssl wrappers don't support it). Could lj
start exporting a cert instead of a DSA pubkey? It's pretty easy to do
so with openssl...there are many recipes on the net for creating
self-signed certs.



Trevor R.H. Clarke

tclarke at ball com <mailto:tclarke at> 

Ball Aerospace & Technologies Corp


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the yadis mailing list