Re: BoringSSL private key loading is not constant time

[Hanno Böck <hanno () hboeck de>]

Hi David,

Thanks for the explanation. At least for me, this is different from how
I initially interpreted this issue.

It would appear that the ideal solution would be to phaseout such
malencoded EC keys. Do you have any idea how prevalent they are, and
which implementations created them?

I wonder if there are steps that can be done to get to a deprecation.

Applications could emit warnings when loading such keys, and APIs could
provide an optional flag that rejects them if application programmers
want that. That could lead to a detection of existing such keys and
ideally remaining implementations creating them would be recognized
and fixed. Possibly, this could allow deprecation in a few years.

Any thoughts on that? Any implementors of EC key using software that
might want to go in that direction?


-- 
Hanno Böck
https://hboeck.de/