>But when you write NOT to regenerate, are you saying that using larger
primes makes regenerating unnecessary, or are you telling us that it's
somehow harmful?
For a given computational effort, you get the most bang-for-the-buck by choosing
large parameters (and checking very carefully that they are "safe")
rather than smaller parameters (and/or checking them less carefully) which you
then regenerate.
Every time you regenerate, there's a small (but finite) probability that the
new parameters are actually unsafe. You'd do better using those CPU cycles
to improve the proof that your original set of parameters was safe (admittedly,
no one actually does this), rather than generating a new set. Remember, the DH
parameters (p,g) are NOT secret; they are transmitted in the clear everytime.
As long as you're using Ephemeral Diffie-Hellman (choosing new exponents, a
and b, for each session) with large safe DH parameters, it's hard to think
of a threat model where you improve the security AT ALL by regenerating the DH
parameters.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150527/208ccb77/attachment.sig>
