Re: Legacy option for key length?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 30/12/17 09:46, Daniel Kahn Gillmor wrote
On Thu 2017-12-28 21:31:28 -0800, Dan Mahoney (Gushi) wrote:
Why not make minimum key length a tunable, just as the other options are?
Because the goal of building secure software is to make it easy to
answer the question "are you using it securely?"

That answer is wrong.  The suggestion, which allowed that security was important, allowed for an option which could only be used by explicitly setting it at SSH invocation, so, that means, if you don't use the option then you are (maybe) using it securely, and if you do use the option, then you are using it in the most secure way possible (because you'd only use it when forced to.)

By making it impossible for people to use SSH you are forcing people to use less secure software; telnet because they can't use ssh; old, buggy versions of ssh because that's what they had to install so that they could connect to their industrial equipment.

The answer is also boneheaded:

remove the devices and replace them with something that is actually well-supported

We'd be better removing arrogance from essential development teams, people who think that replacing a world full of expensive and functioning equipment is an option.  It's not, and nor should it be.  That's a disgraceful suggestion and you should be ashamed of yourself.

Browser developers got it badly wrong; let's not join them. The suggestion was good because there's a wide-spread need for shorter keys and the suggested solution doesn't allow shorter keys unless explicitly set per invocation.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux