Hi Rich,
Am 08.09.2014 23:59, schrieb Salz, Rich:
We are considering changing the default keysize (RSA, DSA, DH) from 1K
to 2K, and changing the default signing digest from SHA-1 to SHA-256.
May I suggest 4096 bit with SHA-256.
That way you have a security level of = 128 bit for both
May I suggest 4096 bit with SHA-256.
I think the next step after 2K-RSA is ECC, and that 4K RSA isn't going to see
much deployment because of the computational cost. At least, that's how we see
things at my employer.
And Chrome+Firefox still happily uses MD5 to sign SPKAC after offering you
I think that 3K-RSA is the next step after 2K-RSA, and I am sure that the
computational costs of a 4K-RSA certificate is much of an obstruction with
current hardware and I think that it isn't a problem at all a couple years
in the future.
2014-09-09 14:18 GMT+02:00 Salz, Rich rs...@akamai.com:
On Tue, Sep 09, 2014 at 05:54:15PM +0200, Jeroen de Neef wrote:
I think that 3K-RSA is the next step after 2K-RSA, and I am sure that the
computational costs of a 4K-RSA certificate is much of an obstruction with
current hardware and I think that it isn't a problem at all a couple years
in
No, I do not have numbers to back it up, that is why my guess is that
3K-RSA is the next step after 2K-RSA.
It also depends on what data you are planning to transport, and in what
kind of organisation you are.
2014-09-09 18:21 GMT+02:00 Viktor Dukhovni openssl-us...@dukhovni.org:
On Tue, Sep
On 09/09/2014 14:18, Salz, Rich wrote:
May I suggest 4096 bit with SHA-256.
I think the next step after 2K-RSA is ECC, and that 4K RSA isn't going to see
much deployment because of the computational cost. At least, that's how we see
things at my employer.
There was (some years ago) a heated
Hi Rich,
Am 09.09.2014 14:18, schrieb Salz, Rich:
May I suggest 4096 bit with SHA-256.
I think the next step after 2K-RSA is ECC, and that 4K RSA isn't going to see
much deployment because of the computational cost. At least, that's how we
see things at my employer.
And Chrome+Firefox
We are considering changing the default keysize (RSA, DSA, DH) from 1K to 2K,
and changing the default signing digest from SHA-1 to SHA-256.
We've already committed this to HEAD/master. We would like to make this change
in the upcoming 1.0.2 release as well. Several downstream distributions,
No objection at all. Perhaps it might be worth checking that the other
defaults are sane too at the same time though. e.g. x509 versions etc.
Rich.
On 8 September 2014 22:59, Salz, Rich rs...@akamai.com wrote:
We are considering changing the default keysize (RSA, DSA, DH) from 1K to
2K, and
No complaints from me for 1K or 2K, but...
Oh, sorry, this would be 1.0.2 and HEAD only. Not 1.0.1 or earlier.
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
:��IϮ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y��
10 matches
Mail list logo