Dear anonymous Crypto-Expert, > There appears to be a fundamental misapprehension about the role of > Diffie-Hellman parameters. Section 39.3 conflates them with the the > RSA secret key, which is actual secret key material and should not be > called a "parameter". The D-H parameters are not key material, and do > not need to be protected from inspection. In fact, they are sent in the > clear to everyone who initiates a TLS session. Since the Debian package > doesn't generate an RSA key at all, the restrictive permissions looked > like blatant cluelessness.
I've removed the references to RSA from 39.3 completely, thanks. > It's also not very important that the D-H parameters be changed often; So there still is some value in changing them? > while changing them N times makes it N times as much work for an attacker > that wants to read ALL of your mail, it's better to just use a larger > prime and make it N times harder for an attacker to read ANY of your > mail. What about doing both? :) > In fact, many cryptographic standards just specify a menu of fixed > D-H parameters for all implmentations for all time (e.g. RFC3526). > Generating a set once at install time is also reasonable. Changing it > daily is silly. 39.3 does not say "daily", it says "the frequency depending on your paranoia level". Now how paranoid should Debian be? I have no idea, and with my limited crypto skills, I can't give them a recommendation. Stock Exim does exacly what you want, compute D-H params exactly once. > I might also mention that 1024 bits (which is O(2^80) operations to > break) is considered a bit small for serious security these days. > GNU TLS defaults to 2048 bits, a more reasonable default. Paranoia level again :) /tom -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
