Settable minimum RSA key sizes on the client end for legacy devices.
David Newall
openssh at davidnewall.com
Sat Dec 28 13:31:34 AEDT 2019
On 27/12/19 6:16 pm, Philipp Marek wrote:
>> I fully agree with Steve here, and dislike developers' attitude of "We
>> know what's good for you, and since you don't/can't have a clue - we
>> won't trust you with decisions".
>
> Well, I'm on the developers' side.
> They need to produce a product that _now_ gets installed in some
> embedded device and is expected to be still secure in 15 years and
> longer - as this thread proves.
What this thread proves is that we didn't make a SSH that was secure for
15 years. We did attempt to break old systems; how rude of us. We
shouldn't do that.
>> Minimal key size should have a "reasonable" default, and an explicit
>> config parameter to override it and set to whatever value that
>> *specific* installation needs.
>
> No, that's too easy.
It's not a bad idea.
> I've seen too many decisions made on such a basis - "just configure
> security down until it works" - but these invariably lead to disaster.
Hyperbole much? No need for...
> Well, like a parent they try to save you from bad decisions.
...arrogance.
More information about the openssh-unix-dev
mailing list