On 30/12/17 09:46, Daniel Kahn Gillmor wrote
On Thu 2017-12-28 21:31:28 -0800, Dan Mahoney (Gushi) wrote:
Why not make minimum key length a tunable, just as the other options
are?
Because the goal of building secure software is to make it easy to
answer the question "are you using it securely?"
That answer is wrong. The suggestion, which allowed that security was
important, allowed for an option which could only be used by explicitly
setting it at SSH invocation, so, that means, if you don't use the
option then you are (maybe) using it securely, and if you do use the
option, then you are using it in the most secure way possible (because
you'd only use it when forced to.)
By making it impossible for people to use SSH you are forcing people to
use less secure software; telnet because they can't use ssh; old, buggy
versions of ssh because that's what they had to install so that they
could connect to their industrial equipment.
The answer is also boneheaded:
remove the devices and replace them with something that is actually
well-supported
We'd be better removing arrogance from essential development teams,
people who think that replacing a world full of expensive and
functioning equipment is an option. It's not, and nor should it be.
That's a disgraceful suggestion and you should be ashamed of yourself.
Browser developers got it badly wrong; let's not join them. The
suggestion was good because there's a wide-spread need for shorter keys
and the suggested solution doesn't allow shorter keys unless explicitly
set per invocation.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev