-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/05/2014 08:41 AM, Eric H. Christensen wrote:
On Wed, Jun 04, 2014 at 03:15:33PM +0200, Nikos Mavrogiannopoulos wrote:
On Wed, 2014-06-04 at 09:05 -0400, Simo Sorce wrote:
According to http://www.keylength.com/en/compare/ the asymetric sizes do not match the symmetric size according to most sources listed on http://www.keylength.com/en/compare/.
That's old version. New one (https://fedoraproject.org/wiki/Changes/CryptoPolicy) is: Legacy: 767+ default: 1023+
shouldn't this be 2047+ ?
If we do that then the applications that use these settings will be unable to talk to any servers that offer 1024 keys. Given the number of these servers that would be a good reason for applications not switching to this centrally managed configuration system. That is we'd have these settings as in a museum and no-one will be using them.
Who still uses 1024-bit keys? You aren't finding a CA to sign them.
-- Eric
Some legacy hardware, stuff with brain dead interfaces that doesn't give an option to create longer keys. I can't name anything off hand (it's been years since I saw anything like this) but I have to assume they're still out there in production.
- -- Kurt Seifried - Red Hat - Product Security - Cloud stuff and such PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993