Re: Comments/Questions about the XML-Signature spec from Donald E. Eastlake 3rd on 2001-05-24 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Thu, 24 May 2001 12:31:10 -0400
To: Erwin.Vanderkoogh@Sun.COM, w3c-ietf-xmldsig@w3.org, eve.maler@east.sun.com, rags@Sun.COM, lde008@dma.isg.mot.com
Message-Id: <200105241631.MAA0000022114@torque.pothole.com>

Hi,

From:  Erwin vanderKoogh <vdkoogh@mediaport.org>
Message-ID:  <3B0CFBD5.125DF2F@mediaport.org>
Date:  Thu, 24 May 2001 13:17:25 +0100
Reply-To:  Erwin.Vanderkoogh@Sun.COM
Organization:  Sun Microsystems
To:  "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
CC:  Erwin van der Koogh - Sun Ireland - Software developer 
     <Erwin.Vanderkoogh@Sun.COM>,
            w3c-ietf-xmldsig@w3.org, eve.maler@east.sun.com, rags@Sun.COM,
            lde008@dma.isg.mot.com
References:  <200105232143.RAA0000021257@torque.pothole.com>

>> I spoke (or rather wrote) too soon.  The J, seed, and pgenCounter have
>> to do with the NIST recommended way to generate p and q so you can be
>> confident someone hasn't handed you weak p and q.  This needs to be
>> documented better in the spec.
>
>I don't see why this has anything to do with it.
>
>The goal is to pass around the value of an existing DSA key. Not with
>passing around information on how that key was generated.
>
>What are you going to use the other parameters for anyway? check that
>the p and q were really generated with these values? You might just as
>well check to see if p and q are weak :)

You might be given the other parameters instead of p & q. Since many
keys can use the same p & q, you might want to know they were
generated as per the NIST rules before using them to generate another
key.  Perhaps the signer is under your authority and you want to
enforce this as a policy. Or maybe there are other reasons that don't
occur to me right now.

>You have to make a trust decision on whether to trust this key and
>signature anyway. Trusting someone to use a decent p and q is part of
>this process. In fact it's so easy to choose a decent p and q (By
>choosing a strong Sophie-German prime) I don't see any reason to include
>a J, seed and pgenCounter (especially because this might reveal more
>than just this key, but also how other keys (or maybe even the private
>key) were generated.

J, seed, and pgenCounter are not being required, just defined as an
option.

>...
>
>Regards,
>
>Erwin van der Koogh

Thanks,
Donald

Received on Thursday, 24 May 2001 12:32:13 UTC