Re: [TLS] Issue 30: Reject RSA public exponent 1

To: "Eric Rescorla" <ekr at networkresonance.com>
Subject: Re: [TLS] Issue 30: Reject RSA public exponent 1
From: "Ben Laurie" <benl at google.com>
Date: Mon, 4 Jun 2007 23:39:29 -0700
Cc: tls at ietf.org
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=received:message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=SHGN9upq3/sQ+0NeSZOpqjD2gkzYfqZ1Kw+04PRpjbbbT1fIBPQHTaLUgcNlsycAS 1RKrTNhTbg2F7GgfMoixA==
In-reply-to: <20070603150155.1CF5133C4B@delta.rtfm.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070603150155.1CF5133C4B@delta.rtfm.com>

On 6/3/07, Eric Rescorla <ekr at networkresonance.com> wrote:

http://www3.tools.ietf.org/wg/tls/trac/ticket/30

Nelson Bolyard writes:
        Some time ago, mozilla was modified to detect and reject RSA
        keys with public exponents equal to 1.  Presumably, the
        readers of this list need no explanation of the implications
        of such keys.

        Now, mozilla users are encountering web sites whose certs have
        such keys.  At least one public CA has apparently issued one
        or more such certs.

        I'm reporting this here to alert the readers of this list who
        may wish to ensure that their implementations detect such
        keys, and to suggest that perhaps the TLS RFC should
        explicitly forbid the use of any public keys (RSA or
        otherwise) that facilitate such weak encryption and/or
        authentication by requiring implentations to detect and reject
        them.


My general feeling is that there are a broad category of "good crypto
practices" issues that don't apply specifically to TLS. I'd love to
see an RFC on them, but would rather not see them in TLS proper
since they need to be duplicated in every crypto-using RFC.

Proposed resolution: do nothing.


I'm wondering what the threat model is here? So, the guy who makes the
key gets you to transmit your data in the plain. But, regardless of
exponent value, if he wants to reveal your data all he need do is
decrypt it and reveal it.

Now, I'm sure you can construct some James Bond scenario where its a
good idea to reveal your victim's credit card number to a local
sniffer instead of the central server, but hey, we've got Tor and
anonymous remailers, anyone can hide their identity, so why bother?

-Ekr

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Issue 30: Reject RSA public exponent 1
  - From: Pasi.Eronen

References:
- [TLS] Issue 30: Reject RSA public exponent 1
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Straw poll on TLS SRP status
Next by Date: RE: [TLS] Issue 30: Reject RSA public exponent 1
Previous by thread: [TLS] Issue 30: Reject RSA public exponent 1
Next by thread: RE: [TLS] Issue 30: Reject RSA public exponent 1
Index(es):
- Date
- Thread

Re: [TLS] Issue 30: Reject RSA public exponent 1

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.