[EMAIL PROTECTED] (Peter Gutmann) writes: >>Consequently, I think the focus on e=3 is misguided. > > It's not at all misguided. This whole debate about trying to hang on to e=3 > seems like the argument about epicycles, you modify the theory to handle > anomalies, then you modify it again to handle further anomalies, then you > modify it again, and again, ... Alternatively, you say that the earth > revolves around the sun, and all of the kludges upon kludges go away. > Similarly, the thousands of words of nitpicking standards, bashing ASN.1, and > so on ad nauseum, can be eliminated entirely by following one simple rule: > > Don't use e=3 > > This is never going to be reliably fixed if the "fix" is to assume that every > implementor and implementation everywhere can get every miniscule detail right > every time. The fix is to stop using e=3 and be done with it.
Not using e=3 when generating a key seems like an easy sell. A harder sell might be whether widely deployed implementations such as TLS should start to reject signatures done with an e=3 RSA key. What do people think, is there sufficient grounds for actually _rejecting_ e=3 signatures? One alternative would be to produce a warning, similar to what is sometimes done for MD2 and MD5 today. Btw, by default, OpenSSH's ssh-keygen appear to use e=35 (0x23..), GnuPG (libgcrypt), GnuTLS and OpenSSL appear to all use e=65537, BIND dnssec-keygen appear to use e=3. /Simon --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]