----- Original Message ----- > From: "Pavel Kankovsky" <peak@xxxxxxxxxxxxxxxxxxxxxx> > To: "Nikos Mavrogiannopoulos" <nmav@xxxxxxxxxx> > Cc: security@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Monday, 31 March, 2014 10:34:37 PM > Subject: Re: Crypto guidelines for Fedora > > On Mon, 31 Mar 2014, Nikos Mavrogiannopoulos wrote: > > > I don't understand what do you mean using SSH and TLS for 10 or more > > years, but we have an expectation of secrecy of data for 10 or more > > years. When you do a TLS or SSH session you don't expect that your > > transferred data will be leaked within a few months or a year later. > > Let me repeat one of my footnotes: > > (***) If long-term secrecy is desired for data transmitted using a > transport protocol (TLS, SSH), one should rely on perfect forward secrecy > provided by the use of ephemeral (EC)DH keys rather than on a server > private key staying confidential for a long time (not broken and not > leaked or stolen). Unfortunately, the support of ephemeral DH in many > programs is, ahem, questionable... The ENISA recommendations are generic, not everybody uses ECDHE or DHE key exchange. Either because, as you point out, the support is not there, or because they use client cipher selection and most of the clients are Windows machines or because the administrator disabled all DH suites because he or she fears for performance problems caused by DHE and doesn't know that this does not apply for ECDHE suites. Also, cryptosystems that don't use primitives of comparable strength are rather frowned upon (if only because security assessment of such systems is more complex). -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security