Dr Stephen Henson <[EMAIL PROTECTED]> writes:
>Remember I said I'd add support for DH certificates if I ever saw one?
>Well some have just appeared in the S/MIME v3 examples mailing list.
>
>Oops...
>
>I notice I didn't say *when* though :-)
These are just test certs though, and from feedback I had when I asked whether
anyone was using DH recently I don't think there are anything but test certs/
implementations in existence. I strongly hope it stays that way for two
reasons:
1. My opinion of X9.42 (at least as used in S/MIME) should be reasonably well
known - "winner of the 'least sensible way to apply the DLP to a key transport
problem' competition" was the phrase I last used, I think. It's such an
incredibly awful way to do email key management it'd be best left to die a
natural death.
2. Subjective considerations of elegance aside, it's quite likely that it's
going to prove to be unworkable in practice. With RSA, I grab your cert from
somewhere, encrypt with it, and send the message. With DH I need to either
obtain a cert which duplicates the domain parameters of everyone I ever want
to communicate with in a stunning leap 25 years backwards to reintroduce the
n^2 key explosion which PKC's were supposed to eliminate (with static-static
keying) or generate a new temporary DH public cert for just that one exchange
(with static-ephemeral keying). Since reuse of DH certs yields the same
key each time, there's also a kludge for mixing nonces into the DH process to
make sure you get a different key.
The one saving grace of DH for S/MIME is that so far it's been universally
ignored. If it continues like this, the only area where there's any reason
to use it in the first place (the US) won't have implementations in use before
the RSA patent expires, and after that the one reason for its existence will
have gone away, so it'll fade into well-deserved obscurity.
A possible spanner in the works would occur if it were implemented in a
widely-used free toolkit. If OpenSSL were to support it, there might be a
possible user base by the time RSA expires, which means it'd have to be
supported for the rest of eternity.
A somewhat riskier alternative is to implement it and try to convince people
to use it, but I think that would be cruel :-).
Peter.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
