----- Original Message ----- > From: "Pavel Kankovsky" <peak@xxxxxxxxxxxxxxxxxxxxxx> > To: security@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Thursday, 3 April, 2014 1:13:44 AM > Subject: Re: Crypto guidelines for Fedora > > On Tue, 1 Apr 2014, Hubert Kario wrote: > > Also, cryptosystems that don't use primitives of comparable strength > > are rather frowned upon (if only because security assessment of such > > systems is more complex). > > If we took that seriously, most TLS servers using 128+-bit symmetric keys > should be frowned upon because their certification chains include RSA keys > shorter than 3072 bits. Yes, they don't provide 128 bit secrecy in case where they don't use PFS cipher suite with proper parameters, and provide less than 128 bit authentication in case where they do. It is acceptable because we don't have 80 bit ciphers and 112 bit ciphers (3DES) are slower than everything else on every platform. So we use 128bit+ ciphers. That doesn't change the fact that most of web is running with effective security of 80 bit and just now some of it is migrating to 112 bit security. > (This situation is, to be honest, ridiculous. Everything is completely > upside-down. Yes, yes it is. > When you got a hierarchy of cryptographic keys, a key at its > top should better be the strongest of all of them because if it were > cracked the whole hierarchy would be compromised.) The problem is that we have to deal with a lot of hysterical^W historical reasons. Clients that don't support SHA-2, clients that can work with just 1024bit RSA, clients that didn't update their CA trust store for the past 10 years, etc. There's no way to fix it so we have to workaround it. -- Regards, Hubert Kario BaseOS QE Security team Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
