* Ralf G. R. Bergs:
> I posted about this problem into the Opera forum (see
> http://my.opera.com/community/forums/topic.dml?id=167205), and received
> the following reply from one of the Opera developers:
>
> <quote>
[...]
> IMO the length of that key should match the keylength of the
> certificate, but to get level 3 encryption it must be at least 1024 bits
> long.
> </quote>
You cannot directly compare the RSA and DH bit counts, the underlying
mathematical problems are not the same (discrete logarithms are
harder). There is one prominent study that treats them as equivalent,
but their model is more or less pulled out of thin air. We simply do
not know enough about cryptography to give definite advice on key
lengths.
But perhaps we should change src/tls-gnu.c and increase this constant:
#define DH_BITS 768
NIST recommends to use 1024 bits. BSI (the German one, not the
British) recommends 1280 bits. Both do not really differentiate
between ephemeral session keys and long-term keys. But bumping the
value is easy and probably the right thing to do from a PR angle.
>From an entropy perspective, it should not matter at all, thanks to
the way GnuTLS RNG works (or, more precisely, the libgcrypt RNG).
