On May 19, 2008, at 2:54 PM, Florian Weimer wrote:
* Dirk-Willem van Gulik:One way to do this a bit more careful may be by comparing the actual data itself. OpenSSL will output this with the modulus flag: openssl genrsa 1024 | openssl rsa -noout -modulusYes, that's what dowkd is doing (albeit with a somewhat suboptimal algorithm; I should have used the most-significant bits, not the least-significant).
Sure - the downside in a lot of those approaches is that they then proceed to generate an MD5 or SHA1 or just the modulus (in hex or binary), the String 'Modulus=...', with or without '\n' and/or then proceed to look at the whole md5/sha1 or just the last 20 chars or so.
Working with the original and some indication as to what pid, platform, keylen endianness, and .rnd, is useful - as that way it is possible to understand, reconstruct, spotcheck or verify in-situ - rather than having to build trust without easy verify.
So I'd publish/ship the original - and then derive everything else from it as/if needed (and given the speed of a 'grep' or that of an BDB) -- above/early optimizations may not be that crucial anyways.
Thanks, Dw