[Cryptography] Posting the keys/certs for: Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?
Georgi Guninski
guninski at guninski.com
Sat Oct 1 08:29:38 EDT 2016
On Sat, Oct 01, 2016 at 01:07:27AM +0000, Salz, Rich wrote:
>
> > Does it matter who created the keys if openssl accepts them?
>
> Okay, great, you found a bug in OpenSSL in that it accepts invalid keys created by an external program.
>
I see, openssl tries to generate valid stuff, while accepting invalid
stuff by _bad_ "external programs".
> Look forward to your PR to fix it. I mean really, let's have some perspective. A bug in DSA key validation is really not a big deal.
Certainly, accepting invalid signatures (generated by external program)
or something like shellshock/hearthbleed is much more interesting,
definitely.
More information about the cryptography
mailing list