RE: [TLS] Issue 30: Reject RSA public exponent 1

[<Pasi.Eronen at nokia.com>]

Ben Laurie wrote:

> I'm wondering what the threat model is here? So, the guy who makes
> the key gets you to transmit your data in the plain. But, regardless
> of exponent value, if he wants to reveal your data all he need do is
> decrypt it and reveal it.

Based on Nelson's original email, it seems the threat model was not 
an actively malicious attacker, but implementation and operational
mistakes: some key generation tool (mistakenly) generated keypairs
with public exponent 1, and some CA (mistakenly) issued valid certs
for them.

A TLS implementation could (and IMHO should) detect this mistake, 
as Mozilla NSS now does... but the question is whether this check
should be mentioned in the TLS spec or not. 

Perhaps the advice about this check could be combined with other
advice: e.g. the TLS implementation should (or even must) check
that DH group parameters are "good enough" (and reject attempts
to use e.g. 256-bit groups, unless this is really allowed by the
local policy). 

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls