public key request
Brad Fitzpatrick
brad at danga.com
Tue May 24 11:09:23 PDT 2005
Every OpenID server can't just decide whether to use RSA or DSA or one key
format or another. That's just asking for interop hell. We need to make
one recommendation from the beginning and have everybody do that. You
have a URL where I can read more about this PEM format problem?
On Tue, 24 May 2005, Clarke, Trevor wrote:
> Currently, opened.bml?openid.mode=getpubkey returns a DSA pubkey in
> SSLeay format. This should probably be changed. This is a deprecated
> compat format which has some issues....mostly, it has no hash or
> signature associated with it so it's easy to exploit a know DSA flaw.
> (replacing 2 of the parameters, getting a signature, deducing the
> private key from the result). It should really give an x509 cert (which
> would allow DSA or RSA). These are also much easier to work with as most
> DSA libraries don't support SSLeasy format PEM public keys (just sslway
> and openssl AFAIK and many openssl wrappers don't support it). Could lj
> start exporting a cert instead of a DSA pubkey? It's pretty easy to do
> so with openssl...there are many recipes on the net for creating
> self-signed certs.
>
>
>
> ------------------------------
>
> Trevor R.H. Clarke
>
> tclarke at ball com <mailto:tclarke at ball.com>
>
> Ball Aerospace & Technologies Corp
>
>
>
>
More information about the yadis
mailing list