Exponent 3 damage spreads...
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Sep 22 09:43:11 EDT 2006
Simon Josefsson <jas at extundo.com> writes:
>Not using e=3 when generating a key seems like an easy sell.
Almost no-one does this anyway, but I don't think that's much help.
>A harder sell might be whether widely deployed implementations such as TLS
>should start to reject signatures done with an e=3 RSA key.
>
>What do people think, is there sufficient grounds for actually _rejecting_ e=
>3 signatures?
I can't think of any other way to get people to move away from e=3. The
problem isn't major implementations who use e=F4 and check signatures properly
(at least as of a week or so back :-), it's the hundreds (or thousands?) of
random obscure implementations and deployments that'll never even hear about
this and will never be fixed, and so will remain vulnerable in perpetuity
without even knowing it. Unless things break obviously, there's no incentive
(or even apparent need) to fix it.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list