Dr Stephen Henson wrote:
> One more point: since you can't use DH for signing the certificates
> would still need to be signed with another algorithm such as DSA or RSA.
> So you'd still need something like DSA (DSS) as well even if OpenSSL did
> support DH certificates.
This is true -- and for it you'll need to generate proof-of-possession of
the private key for a signing request. There are mechanisms for doing this:
ftp://ftp.isi.edu/internet-drafts/draft-ietf-pkix-dhpop-02.txt
a good deal of preliminary work on encapsulating DH public key and parameter
info was done on SKIP:
http://www.skip-vpn.org/spec/X.509.html
and a good deal more has been done since elsewhere.
--
QUI ME AMET, CANEM MEUM ETIAM AMET
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
