On Friday 30 May 2008 07:39:08 [EMAIL PROTECTED] wrote: > I personally don't like the idea of generating keys that people will > try, or using a weak/known key with small probability, but in this > case I think it's so small that simply scanning for and banning such > keys is good enough.
What about in a digital signing example, where the point at which you receive a signed instrument (say by email) it might be considered legally binding? A specific example I have here in New Zealand is The Electronic Transactions Act where an electronic signature is, amongst other requirements, to be as reliable as is appropriate and adequately identify the signatory. One could argue (and I'm not a lawyer) that if the digital signature was created by a key in the "Debian" keyspace, the signature *may* no longer meet these two requirements and therefore the instrument could be invalid. The signatory and/or receiver however may not be aware of the contestability of the signature - which could result in all kinds of issues including abuse of the situation (e.g. one party is aware that the signature could be contested however chooses not to divulge until/if they decide that they want to try and exit the arrangement). It is clear by the posts thus far that checking for such keys on creation (on an unaffected system) seems unwarranted. There also seems to be some question about the validity of blacklisting of these keys. Relying on the system using the key (say for signing) being unaffected doesn't remove the possibility of the key having originated from an affected system. I'm therefore left wondering - is blacklisting the affected keys in all forms of *usage* on all systems a prudent option? If so: is this functionality something that may be featured in a future OpenSSL release, or something that should be undertaken by an end-user of OpenSSL? Thanks again, Deane ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]