On Wed, Sep 09, 2015 at 03:17:01PM +0300, Georgi Guninski wrote: > If I am CA and sign cert requests with vanilla openssl, > will I sign a composite $q$? The "openssl ca" command won't stop you from signing a non-prime DSA $q$. Real CAs need to do a lot more than is done in "openssl ca". No real public CAs issue DSA certificates. Perhaps some internal USG CAs issue DSA certificates. What specific attack did you have in mind? The MiTM obtains a weak certificate from a trusted CA? And then uses static DH_DSS with a smooth $q$ allowing the attacker to recover the peer's ephemeral DH private exponent? What then? The peer is now performing a handshake with the authenticated MiTM, where's the attack against a third party? To make this interesting (not saying it is impossible, but no evidence has been provided yet that anything interesting is afoot), you need a more complete attack description than "OpenSSL accepts non-prime $q$". -- Viktor.
