|
|
|
|
|
|
by ryan-c
675 days ago
|
|
|
I think very few customers had ever generated API keys, and as best I can tell they made an allowlist for them. One of my suggestions to them was to switch to elliptic curve, but I imagine RSA 4096 "just worked". I suspect they'll rework it later now that it's not "on fire". |
|
|
You're probably right that RSA 4096 "just worked", and some library in their stack doesn't have elliptic curve support. And again, if N is small, the verification performance doesn't matter that much.
Nice find and writeup!