On Wed, May 14, 2008 at 06:22:37PM -0500, Steve Greenland wrote: >> Therefore, anyone who had a DSA key has had it compromised... > Shouldn't that be "anyone who had a DSA key *created by the flawed > version of openssl* has had it compromised..."? Or are you asserting > something stronger?
No. Any key who had a single DSA signature created by the flawed version of OpenSSL should be considered compromised. DSA requires a secret, random number as part of the signature process; if someone figures it out, or you use the same number twice, the entire secret key falls. /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
