Re: [exim-dev] [Bug 1837] small subgroup attack

On 2016-05-29 at 05:09 +0000, Viktor Dukhovni wrote:
> I cannot emphasize this more strongly. The RFC in question is
> informational (not standards track) and in hindsight harmful. It
> really is best to just remove support for the groups from this RFC.

In a world where ECC is not yet widespread in MTA, PFS requires DH. The
documentation, and many packages (I believe) encourage people to
generate primes.

These are a fallback. My belief was that PFS with 2048-bit DH from an
RFC is better than no PFS. Today ... I think that I believe the same.

Mind, the documented advice is to just use `openssl dhparam` to generate
fresh parameters, which I believe uses a small order subgroup by
default. (2, confirmed as of 1.0.2h); if that's not current best
practice, I'd appreciate pointers on what the best practice is, for
those still using prime-number based DH.

(I believe that Jeremy wrote, or at least committed, support for ECDH
curves, earlier this year, but have not double-checked).