On Fri, 2014-04-04 at 02:51 +0200, Aaron Zauner wrote: > >> I'd actually go with TLS1.2+ and 4096bit RSA/DH. It's the > >> future, right? Is there any reason not to (e.g. performance)? > > > > It's the future in the sense of "tomorrow", not as in "next year". > > > > IOW, current best practice. > Shouldn't the current best practice be default instead of a setting > marked "FUTURE"? Well, that's the current known best practice, but not the current best deployment practice. We cannot have a default that is not compatible with the majority of the existing deployments. If we do that, we will not actually improve anything other than force the users to switch from the default to the weaker level. > General question: What will be the lifespan of these recommendations, > and if they're adopted in for example RHEL: how often will they be adapted? You mean the mappings of the three defined levels? These will be adapted per release if required. The defaults of the previous releases will also be available as settings. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
