RE: [TLS] Issue 30: Reject RSA public exponent 1

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

<Pasi.Eronen at nokia.com> writes:

>Perhaps the advice about this check could be combined with other advice: e.g.
>the TLS implementation should (or even must) check that DH group parameters
>are "good enough" (and reject attempts to use e.g. 256-bit groups, unless
>this is really allowed by the local policy).

A problem with this is that it's almost impossible to get any consensus as to
what should and shouldn't be checked.  I played with this a few years ago and
showed it to a few crypto people and everyone had a different, generally
incompatible, checklist of things that needed to be checked.  In the end you
either end up with a huge shopping-list of often questionably-useful checks
(all of my checks are useful, everyone else's are superfluous and a waste of
implementation effort), or a more concise list that represents only one
person's idea of what's worth checking (all of my checks are useful, I'll
ignore everyone else's suggestions because they're superfluous and a waste of
implementation effort).

Overall I think (based on an attempt at doing it) that this is such an
incredible can of worms that you really, really don't want to open it.  If
anyone really wants to build a checklist, put up a web page or create a wiki
and see how the market reacts first.

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls