[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Sep 9 12:07:43 UTC 2015

On Wed, Sep 09, 2015 at 03:02:36PM +0300, Georgi Guninski wrote:

> On Wed, Sep 09, 2015 at 11:55:36AM +0000, Viktor Dukhovni wrote:
> > 
> > The expected time for this sort of check is when CAs sign certificates,
> > not when TLS handshake participants validate the certificates of
> > their peers (issued by trusted issuers, or else why bother).
> Are you saying I can't sign the cert with another cert
> (the pubkey is easy to extract from the cert) with openssl?

If you control a trusted root CA, or an intermediate CA issued
(possibly indirectly) by a trusted root CA, you can sign anything
you want and it will be trusted.  The fact that malfeasant CAs can
compromise security is not new.

If you don't control a trusted CA, what significance would such a
signature carry?  Yes, most certificates (sometimes constrained by
KeyUsage) can be used for signing, but unless "CA=true", they can't
be used to sign other certificates that will be trusted by peers.


More information about the openssl-users mailing list