On Mon, May 29, 2017 at 9:16 PM, Niklas Keller <m...@kelunik.com> wrote:
> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka <bu...@php.net>: > >> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller <m...@kelunik.com> wrote: >> >>> Morning Internals, >>> >>> I have updated the RFC to use a "min_signature_bits" setting instead. >>> >>> >> Wouldn't be better use security levels instead as it is in OpenSSL? Of >> course I mean just for sig level to not re-implement everything. Basically >> having sig_level or something like that... >> > > As we can't use the OpenSSL implementation directly, I don't see any > reason to use arbitrary integers there which you have to look up again. > Maybe we should fine a totally different way. > > Well we are going to implement security levels at some point anyway as it is the primary way how to control security strength in OpenSSL 1.1+ so people will need to look it up anyway. It is also much easier to use than directly setting security bits IMHO. It might also allow us to simplify implementation in the future (for example if it gets separated to its own verify param in the future, we could use that). Also we will be able to just completely skip that if the main security level is already on that level or higher (it would be already covered by that). Please mind that this is an openssl extension so we should prefer the API offered by the library and not trying to invent our own solutions. Cheers Jakub
