On 10/09/13 14:03, Ben Laurie wrote:
On 10 September 2013 03:59, james hughes <hugh...@mac.com
<mailto:hugh...@mac.com>> wrote:
[...]
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    I retract my previous "+1" for this ciphersuite. This is hard coded
    1024 DHE and 1024bit RSA.


It is not hard coded to 1024 bit RSA. I have seen claims that some
platforms hard code DHE to 1024 bits, but I have not investigated these
claims. If true, something should probably be done.


Yes - hard code them all to 1024-bit. Then dump TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the bin where it belongs.


Then replace it with a suite such as TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256.

Would a non-cryptographer know what TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256 meant? No. So for heaven's sake call it Ben's_suite or something, with a nice logo or icon, not TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256.


They won't know what Ben's_suite means either, but they may trust you (or perhaps not, if you are still Working for Google ...)




The problem with TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 is that you don't know what you are getting.


[ The other problem is of course that the main browsers don't make it easy to find out which suite is actually in use ... :( ]


Hmmm, can a certificate have several keylengths to choose from? And, if the suite allows it, can a certificate have an RSA key for authentication and a different RSA key for session key setup (cf RIPA)?

-- Peter Fairbrother

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to