On 25 September 2017 at 15:54, Mark D. Baushke <mdb@xxxxxxxxxxx> wrote: [...] > For my effort, I would find it 'better' to consider moving to provable > primes. Of course, that would mean sending all three of g,p,q to the > client for them to validate that the primes are safe using something > like Pocklington's Theorem. This should be fairly quick as such things > go. It does mandate a change to the protocol to send q over the wire > too. I'm not a cryptographer so I defer to others on the cryptography and number theory. As an maintainer I guess the counter argument to that is that if you need something stronger that the current dh-gex and you have to implement something new anyway then you'd be much better off implementing ecdh or ssh-curves and get something much faster for the equivalent strength. What is the intersection of people wanting >192 bits of security and wanting to (or being required to) stick with dh-gex? -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev