public key request

Brad Fitzpatrick brad at
Tue May 24 11:09:23 PDT 2005

Every OpenID server can't just decide whether to use RSA or DSA or one key
format or another.  That's just asking for interop hell.  We need to make
one recommendation from the beginning and have everybody do that.  You
have a URL where I can read more about this PEM format problem?

On Tue, 24 May 2005, Clarke, Trevor wrote:

> Currently, opened.bml?openid.mode=getpubkey   returns a DSA pubkey in
> SSLeay format. This should probably be changed. This is a deprecated
> compat format which has some issues....mostly, it has no hash or
> signature associated with it so it's easy to exploit a know DSA flaw.
> (replacing 2 of the parameters, getting a signature, deducing the
> private key from the result). It should really give an x509 cert (which
> would allow DSA or RSA). These are also much easier to work with as most
> DSA libraries don't support SSLeasy format PEM public keys (just sslway
> and openssl AFAIK and many openssl wrappers don't support it). Could lj
> start exporting a cert instead of a DSA pubkey? It's pretty easy to do
> so with openssl...there are many recipes on the net for creating
> self-signed certs.
> ------------------------------
> Trevor R.H. Clarke
> tclarke at ball com <mailto:tclarke at>
> Ball Aerospace & Technologies Corp

More information about the yadis mailing list