Settable minimum RSA key sizes on the client end for legacy devices.

Sat Dec 28 16:50:28 AEDT 2019

On 12/27/19 1:46 AM, Philipp Marek wrote:
>> I fully agree with Steve here, and dislike developers' attitude of "We
>> know what's good for you, and since you don't/can't have a clue - we
>> won't trust you with decisions".
>
> Well, I'm on the developers' side.
> They need to produce a product that _now_ gets installed in some
> embedded device and is expected to be still secure in 15 years and
> longer - as this thread proves.
>
> So the emphasis _must_ be on conservative defaults.
>
>
> But I've been on the other side as well 20 years ago, trying to run SSH
> on a 200MHz RISC machine... Engineering sometimes needs trade-offs,
> yeah.
>
>
>> Minimal key size should have a "reasonable" default, and an explicit
>> config parameter to override it and set to whatever value that
>> *specific* installation needs.
>
> No, that's too easy.
> I've seen too many decisions made on such a basis - "just configure
> security down until it works" - but these invariably lead to disaster.
>
>
I don't think the right decision is to prevent people from doing things 
you don't like, and second guessing what they consider secure by 
over-riding defaults.  This is sort of the attitude I'm talking about.  
It seems entirely reasonable to put the minimum key size as a runtime 
option rather than compile-time.  These are the people who own the 
computer in question.

Maybe an admin want an even higher minimum key size than 1024 bits.  
There's plenty of systems that might still be in service in 20 years, 
and perhaps the minimum key size would go up in that time.  Without the 
ability to set at runtime, you have to re-compile, which is always much 
harder for old systems.

Also, you can still make your system insecure if you want. telnetd is 
still supported on Debian system, and at least Centos 7, but not really 
recommended of course.

The natural conclusion of the "I'm the parent trying to protect you from 
bad decisions" idea is that everyone else is a child. There's plenty of 
people that can understand exactly the risks they're taking with smaller 
key sizes, and are still willing to make the tradoff.

> Still, recompilation has a too variable cost (in the dependencies) -
> it's hard to be sure that you _only_ changed that one constant and
> didn't forget something that ./configure would have found etc.
>
>
>> There's no way  the developers can know
>> or evaluate every possible use case or related threat model -
>
> No, they don't.
> They only know the most common 90%, of which eg. _I_ probably
> only know 20%.
>
>
>> so they
>> shouldn't behave as if they do...
>
> Well, like a parent they try to save you from bad decisions.