Hey Hanno, My understanding is that historically OpenSSL may have had this bug, though I'm sure it's not alone. (We almost introduced this bug into pyca/cryptography, but caught it before releasing.)
I think for pyca/cryptography we'd also be quite interested in emitting a warning for this case: https://github.com/pyca/cryptography/issues/13672 Alex On Tue, Oct 14, 2025 at 7:11 PM Hanno Böck <[email protected]> wrote: > > Hi David, > > Thanks for the explanation. At least for me, this is different from how > I initially interpreted this issue. > > It would appear that the ideal solution would be to phaseout such > malencoded EC keys. Do you have any idea how prevalent they are, and > which implementations created them? > > I wonder if there are steps that can be done to get to a deprecation. > > Applications could emit warnings when loading such keys, and APIs could > provide an optional flag that rejects them if application programmers > want that. That could lead to a detection of existing such keys and > ideally remaining implementations creating them would be recognized > and fixed. Possibly, this could allow deprecation in a few years. > > Any thoughts on that? Any implementors of EC key using software that > might want to go in that direction? > > > -- > Hanno Böck > https://hboeck.de/ -- All that is necessary for evil to succeed is for good people to do nothing.
