Legacy option for key length?
openssh at davidnewall.com
Sun Dec 31 13:32:47 AEDT 2017
On 30/12/17 09:46, Daniel Kahn Gillmor wrote
> On Thu 2017-12-28 21:31:28 -0800, Dan Mahoney (Gushi) wrote:
>> Why not make minimum key length a tunable, just as the other options
> Because the goal of building secure software is to make it easy to
> answer the question "are you using it securely?"
That answer is wrong. The suggestion, which allowed that security was
important, allowed for an option which could only be used by explicitly
setting it at SSH invocation, so, that means, if you don't use the
option then you are (maybe) using it securely, and if you do use the
option, then you are using it in the most secure way possible (because
you'd only use it when forced to.)
By making it impossible for people to use SSH you are forcing people to
use less secure software; telnet because they can't use ssh; old, buggy
versions of ssh because that's what they had to install so that they
could connect to their industrial equipment.
The answer is also boneheaded:
> remove the devices and replace them with something that is actually
We'd be better removing arrogance from essential development teams,
people who think that replacing a world full of expensive and
functioning equipment is an option. It's not, and nor should it be.
That's a disgraceful suggestion and you should be ashamed of yourself.
Browser developers got it badly wrong; let's not join them. The
suggestion was good because there's a wide-spread need for shorter keys
and the suggested solution doesn't allow shorter keys unless explicitly
set per invocation.
More information about the openssh-unix-dev