Author: Phil Pennock Date: To: Viktor Dukhovni CC: exim-dev Subject: Re: [exim-dev] [Bug 1837] small subgroup attack
On 2016-05-29 at 05:09 +0000, Viktor Dukhovni wrote: > I cannot emphasize this more strongly. The RFC in question is
> informational (not standards track) and in hindsight harmful. It
> really is best to just remove support for the groups from this RFC.
In a world where ECC is not yet widespread in MTA, PFS requires DH. The
documentation, and many packages (I believe) encourage people to
generate primes.
These are a fallback. My belief was that PFS with 2048-bit DH from an
RFC is better than no PFS. Today ... I think that I believe the same.
Mind, the documented advice is to just use `openssl dhparam` to generate
fresh parameters, which I believe uses a small order subgroup by
default. (2, confirmed as of 1.0.2h); if that's not current best
practice, I'd appreciate pointers on what the best practice is, for
those still using prime-number based DH.
(I believe that Jeremy wrote, or at least committed, support for ECDH
curves, earlier this year, but have not double-checked).