On 21/07/2016 17:28, Salz, Rich wrote: >> Again, I?m not saying using a 16kRSA key is a good idea. It?s not a good idea, >> one should really consider ECC instead (both for performance and network >> reasons). But keeping this 2048 bytes limit is not a security decision. It?s the >> result of a trade-off choice, right. And that doesn't make it a bad decision >> either. > +1 Wait, is OpenSSL "sanity checking" a message size dictated by the same ends local configuration against a fixed arbitrary limit rather than a limit computed from that local configuration? That sounds doubly buggy as it will be too high a limit for some configurations and too low a limit for some other configurations. The situation would be different for limits that would depend on the sanity of remote values (such as the key length in a client certificate sent to a server checking the limit or the key length in a server certificate sent to a client checking the limit). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
