I put in this note in -11 in security considerations about PKCS1
padding:
* PKCS1 has been found to be vulnerable to attacks in which a
system reports that errors in padding differently from errors in
decryption becomes a random oracle that can leak the private key
in mere millions of queries. Implementations must be aware of
this attack and prevent it from happening. The simplest solution
is report a single error code for all variants of decryption
errors so as not to leak information to an attacker.
I don't want to beat this to death, given that the consensus seems to
be that this is both an error to worry about, but an implementation
error that is presently something smart coders should know about.
If there are small changes someone wants, feel free to write them up. I
read the uPnP section that Carl mentioned. I think we are terser, but
no less informative. I think the above lets someone who has a real
reason not to take the suggested workaround a clue that they might want
to start googling.
Jon