Michael Sierchio wrote:
>
> Dr Stephen Henson wrote:
>
> > One more point: since you can't use DH for signing the certificates
> > would still need to be signed with another algorithm such as DSA or RSA.
> > So you'd still need something like DSA (DSS) as well even if OpenSSL did
> > support DH certificates.
>
> This is true -- and for it you'll need to generate proof-of-possession of
> the private key for a signing request. There are mechanisms for doing this:
>
> ftp://ftp.isi.edu/internet-drafts/draft-ietf-pkix-dhpop-02.txt
>
I has a look at this a while ago when I was considering adding support
for X9.42 DH to OpenSSL. I never could get the supplied seeds to produce
the parameters listed. Has anyone else tried to reproduce them?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
