A note on vendor reaction speed to the e=3 problem

When I fired up Firefox a few minutes ago it told me that
there was a new
update available to fix security problems.  I thought,
"Hmm, I wonder what
that would be...".  It's interesting to note that we
now have fixes for many
of the OSS crypto apps (OpenSSL, gpg, Firefox (via NSS, so
probably
Thunderbird as well), my own cryptlib), but nothing from any
of the commercial
vendors.  Maybe someone should convert this into a DRM
attack so Microsoft
will fix it before 2007 .

(The real #*($&#*( for me is that I wanted to turn off
e=3 years ago, but when
I did it in a snapshot release some squawk piped up to say
that they were
using e=3 and the standard said it was OK and I was being
non-standards
compliant and so on and so forth, so in the end I had to
leave it enabled.  I
did make it very easy to turn off with a single-character
code change, but
that may explain why commercial vendors are going to be
reluctant to rush out
a fix without a lot of prior impact assessment).

Peter.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com