On Fri, 2014-04-04 at 02:51 +0200, Aaron Zauner wrote:
>> I'd actually go with TLS1.2+ and 4096bit RSA/DH.
It's the
>> future, right? Is there any reason not to (e.g. performance)?
>
> It's the future in the sense of "tomorrow", not as in "next
year".
>
> IOW, current best practice.
Shouldn't the current best practice be default instead of a setting
marked "FUTURE"?
Well, that's the current known best practice, but not the current best
deployment practice. We cannot have a default that is not compatible
with the majority of the existing deployments. If we do that, we will
not actually improve anything other than force the users to switch from
the default to the weaker level.
General question: What will be the lifespan of these
recommendations,
and if they're adopted in for example RHEL: how often will they be adapted?
You mean the mappings of the three defined levels? These will be adapted
per release if required. The defaults of the previous releases will also
be available as settings.
regards,
Nikos