Nash Foster wrote: > http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/ > > Any actual cryptographers care to comment on this? I don't feel > qualified to judge.
It seems to me that the requirement cited: "Entity i cannot be coerced into sharing a key with entity j without i’s knowledge, ie, when i believes the key is shared with some entity l != j." is generally impossible to achieve in practice. Which is lucky: otherwise DRM would work. To address their particular complaint, one of the two parties must cooperate with the passive attacker to cause key leakage. If they are prepared to cooperate then they can leak the key anyway, and no amount of testing of public keys will prevent this. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
