On Fri, Mar 28, 2014 at 07:44:53PM +0100, Dr. Stephen Henson wrote: > Certainly. Nothing is set in stone at this stage. It's only part of the master > branch and wont appear in a release for a while yet. > > [...] > > Yes I'm aware of some of the problems here. I do want OpenSSL to reject > attempts to do silly things by default (e.g. ridiculously small key sizes). > > [...] > > What are your thoughts on level 1? Do you think those requirements are > reasonable? Currently (subject to change!) level 1 is the default level.
One way to address my concerns, beyond simple adjustment of which level excludes any given mechanism or parameter value, is perhaps to shift from numbered levels to named levels. Numbered levels are suggestive of a simple linear scale of increasing goodness (it goes to 11), and naive users will be tempted to max out the security level without much thought. In practice, things are more nuanced, and perhaps named levels would be better. An off the cuff example might be: - Permissive: Maximal interoperability even with relatively weak crypto, but completely broken parameters that nobody uses may be excluded. - Interoperable: Strongly interoperable with mainstream and even laggard systems that are still in use. 80-bit floor. - Restrictive: Mostly interoperable with mainstream systems, some laggard systems may be left behind. Mostly a 112 bit floor, but prime DH remains at 1024 bits (IIRC 80-bit equivalent) due to interoperability issues. - Aggressive: Mostly 128-bit and up across the board, with prime DH at 2048 bits (IIRC 112-bit equivalent), again for interop reasons. What's new in the security levels is the fact that they control multiple facets of the TLS handshake rather than just the symmetric key length, this remains, but with named levels there is more room to deviate from SP-800 where needed, and the names might help some users avoid the temptation to maximize security at the cost of interoperability. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org