Hi Rich, Am 09.09.2014 14:18, schrieb Salz, Rich: >> May I suggest 4096 bit with SHA-256. > > I think the next step after 2K-RSA is ECC, and that 4K RSA isn't going to see > much deployment because of the computational cost. At least, that's how we > see things at my employer. > >> And Chrome+Firefox still happily uses MD5 to sign SPKAC after offering you >> to create Low (512), Medium (1024) or High (2048) grade encryption keys >> (patch available for ages BTW) ... > > If you can point me to patches, email, or whatever I can try to make sure > those links get seen by folks in charge. Sure, there are 6 related bugs when searching for "keygen" on Mozilla's Bugzilla that effect the problem:
Key size spec for <KEYGEN> tag: https://bugzilla.mozilla.org/show_bug.cgi?id=495876 (potentially doing a comma list of asymm+size - e.g. rsa2048,dsa2048,... - might be an option working for every cipher with ecc-* to wildcard all EC curves or !dsa to prohibit any DSA keys might be an option). 1024 bit option should be removed: https://bugzilla.mozilla.org/show_bug.cgi?id=649910 (or the default options modified to more sane values like 2048, 3072 and 4096) Automated tests for <KEYGEN> tag https://bugzilla.mozilla.org/show_bug.cgi?id=698315 (IIRC this one was the blocker for some of the other issues) Some more automated tests for <KEYGEN> tag https://bugzilla.mozilla.org/show_bug.cgi?id=960888 (IMHO low prio, but probably related) SPKAC signed with MD5withRSAencryption https://bugzilla.mozilla.org/show_bug.cgi?id=549460 (would be nice if this was done with SHA-2 - or I'd prefer using a setting to select between MD5 up to SHA-3, but optional on that setting) Increase options offered by <KEYGEN> tag https://bugzilla.mozilla.org/show_bug.cgi?id=495836 (IMHO one of the oldest issues in the list) For Chrome I can fire up a search on the bugtracker too if you like, but the issues should be similar. Also, when we are at client certificates: please remove the limit of sent client certificates: If I happen to have a certificate with such a long key (and Firefox happily imports them) you shouldn't get into trouble while using them. Will file a bug for the exact behaviour when I get around to it (related to the #747453 issue in Debian). Regards, BenBE. > > /r$ > -- > Principal Security Engineer > Akamai Technologies, Cambridge MA > IM: rs...@jabber.me Twitter: RichSalz > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
signature.asc
Description: OpenPGP digital signature