[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: Carl Ellison <cme@cybercash.com>*Subject*: Re: rsa public keys*From*: Markku-Juhani Saarinen <mjos@ssh.fi>*Date*: Tue, 5 Aug 1997 12:14:39 +0300 (EET DST)*Cc*: spki@c2.net, burt@rsa.com*In-Reply-To*: <199708042238.SAA03206@carl.cybercash.com>

On Mon, 4 Aug 1997, Carl Ellison wrote: > If all you care about, in your definition of "principal", is > "the person who knows the secret", then just the modulus is enough to > identify that person. I don't think that a modulus alone can securely speak for its owner. Eve could associate e=1, e=0, e=2, e=-1 or some other cooked exponent with a modulus. > If you want to identify a key as rsa-pkcs1 rather than rsa-pkcs1-md5, > why not just "rsa" and let the pkcs1 (input formatting) be left independent > of the key? I can't see any reason for doing that. PKCS#1 doesn't allow Chaum's blind signatures, but a principal key (which is a "regular" signature key) should not be used for blind signatures anyway. The level of security would decrease as we could not be sure what input formatting was used. It really doesn't matter if we can't be sure what hash function was used, because the chance of sha1 <-> md5 collisions ( i.e. having x and y so that md5(x) = sha1(y) ) is minimal. - Markku-Juhani Saarinen <mjos@ssh.fi>

**Re: rsa public keys***From*: Carl Ellison <cme@cybercash.com>

- Prev by Date:
**Re: rsa public keys** - Next by Date:
**Re: rsa public keys** - Prev by thread:
**Re: rsa public keys** - Next by thread:
**Re: rsa public keys** - Index(es):