[EMAIL PROTECTED] (Peter Gutmann) writes:

>>Consequently, I think the focus on e=3 is misguided. 
> It's not at all misguided.  This whole debate about trying to hang on to e=3
> seems like the argument about epicycles, you modify the theory to handle
> anomalies, then you modify it again to handle further anomalies, then you
> modify it again, and again, ...  Alternatively, you say that the earth
> revolves around the sun, and all of the kludges upon kludges go away.
> Similarly, the thousands of words of nitpicking standards, bashing ASN.1, and
> so on ad nauseum, can be eliminated entirely by following one simple rule:
>   Don't use e=3
> This is never going to be reliably fixed if the "fix" is to assume that every
> implementor and implementation everywhere can get every miniscule detail right
> every time.  The fix is to stop using e=3 and be done with it.

Not using e=3 when generating a key seems like an easy sell.

A harder sell might be whether widely deployed implementations such as
TLS should start to reject signatures done with an e=3 RSA key.

What do people think, is there sufficient grounds for actually
_rejecting_ e=3 signatures?

One alternative would be to produce a warning, similar to what is
sometimes done for MD2 and MD5 today.

Btw, by default, OpenSSH's ssh-keygen appear to use e=35 (0x23..),
GnuPG (libgcrypt), GnuTLS and OpenSSL appear to all use e=65537, BIND
dnssec-keygen appear to use e=3.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to