[Cryptography] Posting the keys/certs for: Two distinct DSA keys sign a file with the same signature. Is this repudiation issue?

[Peter Gutmann]

Kristian Gjøsteen <kristian.gjosteen at math.ntnu.no> writes:

>These keys aren’t weak, they are invalid. The parameters used are not
>according to the standard.
>
>Verifying the parameters is somewhat expensive (should be about the same cost
>as generating a signature, and half the cost of verifying a signature). It is
>not immediately obvious that it makes sense to verify these parameters all the
>time in a TLS context. 

Given that the keys Ron posted were as follows:

P:  00:90:df:c4:88:8f:91:41:57:b9:b0:9d:9f:8d:53:
    ce:3b:ac:8e:f9:59:7a:47:08:c7:3d:6f:ab:45:e2:
    0b:3e:6f:da:a8:d0:08:7a:9f:f0:bb:19:9b:c8:60:
    d1:af:91:81:03:bf:2c:f2:dd:0e:09:fc:db:4a:1d:
    ab:a6:99:17:f5:a2:f4:0c:b1:2c:5e:f4:9d:21:2d:
    9c:0b:4f:b6:f0:b0:0c:a0:87:36:b3:f0:ff:cc:a1:
    d8:a3:32:8b:cb:b6:e0:3a:a5:a0:8f:ad:43:9f:fc:
    f6:de:28:18:da:af:86:80:c2:6e:63:95:0a:4e:0f:
    9b:00:09:1a:b6:74:34:ce:a9
Q:  00:d7:14:b8:0b:1d:52:ff:da:64:7b:ba:c7:20:00:
    98:f9:fc:4c:b2:4b
G:  1 (0x1)

I think a check for validity is pretty trivial.  Or at least detecting an
obviously-invalid key like this is pretty trivial.

Before everyone bashes OpenSSL, remember that until a year or two back Mozilla
would happily accept RSA keys with e = 1, and AFAIK Windows still does, it's a
by-design, documented means of bypassing FIPS 140.

Peter.