Re: inconsistency and incompleteness in the apps wrt dsa and dh

Sat, 10 Jul 1999 12:46:01 -0700 

Marc Horowitz wrote:
> 
>  - The commands are wildly inconsistent.  gendh and gendsa do
> completely different things.  I don't know if backward compatibility
> is really important, but if it isn't, I'd rename gendh to dhparam, and
> dh to gendh.
> 

I wouldn't say "wildly inconsistent". Only the gendh, dh commands have
anomalous behaviour and thats for historical reasons. I'd certainly
agree with changing gendh to dhparam though not dh to gendh: it doesn't
generate a DH key it just processes DH parameters.

'gendh' and 'dh' should be combined and called 'dhparam' this would be
more consistent with the dsaparam behaviour.

>  - There's no way to generate a DH private key or public key, or to
> combine them into a shared secret.  (The API function names for this,
> DH_generate_key, and DH_compute_key, are also confusing.)
> 

Thats because DH private keys are only parly supported: for example
there isn't any ASN1 structure for holding a DH private key at present
nor can DH public keys be used in certificates.

DH certificates could in theory be handled, though I've yet to see a
single example. The main problem is how to use DH in a signed
certificate request since DH can't directly be used for signing.

>  - There's no way to generate or verify a DSA signature.
> 

Nor is there any way at a command level to generate or verify an RSA
signature by itself. Not every library function is available at a
command level.


>  - There's no way to generate a DSA public key only (p,q,g,y) for
> publication.
> 

They usual way to "publish" a public key is via a certificate and there
is way to include a DSA public key in a certificate.


Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to