Re: [exim] 8192 length SSL keys

Page principale
Ce message fait partie du fil suivant :
M\Arborescence complète du fil triée par date
MMThe Doctor à <-
MM 
Supprimer ce message
Répondre à ce message
Auteur: Dennis Davis
Date:  
À: exim-users
Sujet: Re: [exim] 8192 length SSL keys
On Mon, 12 Apr 2021, Viktor Dukhovni via Exim-users wrote:

> From: Viktor Dukhovni via Exim-users <exim-users@???>
> To: exim-users@???
> Cc: Viktor Dukhovni <exim-users@???>
> Date: Mon, 12 Apr 2021 17:01:27 -0400
> Subject: Re: [exim] 8192 length SSL keys
>
> On Mon, Apr 12, 2021 at 02:39:41PM -0600, The Doctor via Exim-users wrote:
>
> > Does Exim support 8192 bit SSL keys?
>
> Even 4096-bit RSA keys are noticeably slow/bulky, none of the
> public CAs are using anything stronger than 4096-bit RSA keys and
> most are using 2048. Why on earth would you want 8192 bits?
>
> If you actually want practical strong keys, use ECDSA P256,
> Ed25519 or Ed449.

The public CAs seem quite conservative in the algorithms they'll use
in issued certificates. The baseline specification document for
Certificate Authorities can be found in:

https://cabforum.org/baseline-requirements-documents/

and from the latest specification:


6.1.5 Key sizes

For RSA key pairs the CA SHALL: 

     Ensure that the modulus size, when encoded, is at least 2048 bits, and;
     Ensure that the modulus size, in bits, is evenly divisible by 8.


For ECDSA key pairs, the CA SHALL: 

         Ensure that the key represents a valid point on the NIST
         P-256, NIST P-384 or NIST P-521 elliptic curve.


No other algorithms or key sizes are permitted.


so it seems the Ed25519 and Ed448 algorithms are out for now.
--
Dennis Davis <dennisdavis@???>

Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-users
Informations sur la liste de diffusion | Messages voisins		<-Re: [exim] 8192 length SSL keys[exim] Combining server_condition->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)