public key request
Andy Thomas
andy.thomas2 at gmail.com
Tue May 24 11:36:49 PDT 2005
Typing.. dsa flaw.. into Google brings up some plausible
webpages for this. Reading the top hit seems to match
what Trevor mentions sufficiently well for me to not feel
a total fool for sending this email... :) (Apologies if this
turns out not to be the case..)
andy
On 5/24/05, Brad Fitzpatrick <brad at danga.com> wrote:
> Every OpenID server can't just decide whether to use RSA or DSA or one key
> format or another. That's just asking for interop hell. We need to make
> one recommendation from the beginning and have everybody do that. You
> have a URL where I can read more about this PEM format problem?
>
> On Tue, 24 May 2005, Clarke, Trevor wrote:
>
> > Currently, opened.bml?openid.mode=getpubkey returns a DSA pubkey in
> > SSLeay format. This should probably be changed. This is a deprecated
> > compat format which has some issues....mostly, it has no hash or
> > signature associated with it so it's easy to exploit a know DSA flaw.
> > (replacing 2 of the parameters, getting a signature, deducing the
> > private key from the result). It should really give an x509 cert (which
> > would allow DSA or RSA). These are also much easier to work with as most
> > DSA libraries don't support SSLeasy format PEM public keys (just sslway
> > and openssl AFAIK and many openssl wrappers don't support it). Could lj
> > start exporting a cert instead of a DSA pubkey? It's pretty easy to do
> > so with openssl...there are many recipes on the net for creating
> > self-signed certs.
> >
> >
> >
> > ------------------------------
> >
> > Trevor R.H. Clarke
> >
> > tclarke at ball com <mailto:tclarke at ball.com>
> >
> > Ball Aerospace & Technologies Corp
> >
> >
> >
> >
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
More information about the yadis
mailing list