Santosh,
Some of us have suggested that the Lenstra attack does not break non-repudiation. I would like to add another evidence for NR. If there is a dispute between the signer and the relying party and the signer (or CA) and the relying party produce two certificates resulting inthe same hash,
When RFC 3126 is used, then ESSCertID MUST be used as a signed attribute which means that not only there MUST be the same hash value but also the same CA DN and the same serial number.
ESSCertID ::= SEQUENCE {
certHash Hash,
issuerSerial IssuerSerial OPTIONAL
}
Hash ::= OCTET STRING -- SHA1 hash of entire certificate
IssuerSerial ::= SEQUENCE {
issuer GeneralNames,
serialNumber CertificateSerialNumber
}
Denis
signer could be required to produce further evidence for the modulii and one would notice that one of the factors is 512 bits for 2048 modulus, something FIPS does not recommend. That would be viewed as additional evidence of mischief by the subscriber. Santosh Chokhani Orion Security Solutions, Inc. 1489 Chain Bridge Road, Suite 300 McLean, Virginia 22101 (703) 917-0060 Ext. 35 (voice) (703) 917-0260 (Fax) chokhani@xxxxxxxxxxxx Visit our Web site http://www.orionsec.com