> -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > Of Michael Richardson > Sent: Monday, April 08, 2013 11:01 PM > To: IPsecme WG > Subject: Re: [IPsec] NUDGE: WG Last Call for draft-ietf-ipsecme-dh-checks > > > I read draft-ietf-ipsecme-dh-checks-01. > I am not competent to understand if this addresses a real problem. > I understood that (1 < r < p-1) is a test that many implementors did not > do. I think that most implementations generated r from a PRNG.
This last statement makes me suspect that you misunderstood what we were doing. The tests we suggest in this draft are not run on either the secret exponent nor the public value we generate. Instead, it's run on the value r we receive from the peer's KE payload. How the peer selects that value isn't our problem (we certainly hope the peer selects it in a way such that a third party can't guess its secret exponent; we can't actually test for that); our problem is deciding whether to accept it or not. > > I have not implemented ECDSA, but the instructions seemed well > formatted, but I don't at this point know what they mean. Actually, we're talking about ECDH here, and not ECDSA. > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
