[147287] in cryptography@c2.net mail archive
[Cryptography] forward-secrecy >=2048-bit in legacy
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Sep 25 18:19:46 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 25 Sep 2013 14:25:06 +0200
From: Adam Back <adam@cypherspace.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <E1VOnl0-0003um-0r@login01.fos.auckland.ac.nz>
Cc: cryptography@metzdowd.com, Crypto List <cryptography@randombit.net>,
paul.hoffman@vpnc.org, perry@piermont.com,
code@funwithsoftware.org, zenadsl6186@zen.co.uk,
Adam Back <adam@cypherspace.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Wed, Sep 25, 2013 at 11:59:50PM +1200, Peter Gutmann wrote:
>Something that can "sign a new RSA-2048 sub-certificate" is called a CA. For
>a browser, it'll have to be a trusted CA. What I was asking you to explain is
>how the browsers are going to deal with over half a billion (source: Netcraft
>web server survey) new CAs in the ecosystem when "websites sign a new RSA-2048
>sub-certificate".
This is all ugly stuff, and probably < 3072 bit RSA/DH keys should be
deprecated in any new standard, but for the legacy work-around senario to
try to improve things while that is happening:
Is there a possibility with RSA-RSA ciphersuite to have a certified RSA
signing key, but that key is used to sign an RS key negotiation?
At least that was how the export ciphersuites worked (1024+ bit RSA auth,
512-bit export-grade key negotation). And that could even be weakly forward
secret in that the 512bit RSA key could be per session. I imagine that
ciphersuite is widely disabled at this point.
But wasnt there also a step-up certificate that allowed stronger keys if the
right certificate bits were set (for approved export use like banking.)
Would setting that bit in all certificates allow some legacy server/browsers
to get forward secrecy via large, temporary key negotiation only RSA keys?
(You have to wonder if the 1024-bit max DH standard and code limits was bit
of earlier sabotage in itself.)
Adam
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography