On 9/24/13 at 4:58 PM, hal...@gmail.com (Phillip Hallam-Baker) wrote:

And the problem appears to be compounded by dofus legacy implementations
that don't support PFS greater than 1024 bits. This comes from a
misunderstanding that DH keysizes only need to be half the RSA length.

So to go above 1024 bits PFS we have to either

1) Wait for all the servers to upgrade (i.e. never do it because the won't

2) Introduce a new cipher suite ID for 'yes we really do PFS at 2048 bits
or above'.

I suggest (2)

Agreed, however eventually we will want to do (3):

(3) Make insecure obsolete servers show as insecure in the user's UI or refuse to communicate with them. Embedded systems are the Achilles Heel of this suggestion. The only way to upgrade them is to replace them, which might be too costly.

Cheers - Bill

Bill Frantz        |The nice thing about standards| Periwinkle
(408)356-8506 |is there are so many to choose| 16345 Englewood Ave www.pwpconsult.com |from. - Andrew Tanenbaum | Los Gatos, CA 95032

The cryptography mailing list

Reply via email to