Colin Percival
2006-Sep-28 06:34 UTC
Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
Bill Moran wrote:> Can anyone define "exceptionally large" as noted in this statement?: > > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by > prohibiting the use of exceptionally large public keys. It is believed > that no existing applications legitimately use such key lengths as would > be affected by this change." > > It would be nice if "exceptionally large" were replaced with "keys in > excess of x bits in size" or something. I don't expect that this will > affect me, but ambiguous statements like that make me uncomfortable.DH and DSA are limited to 10000 bits. RSA is limited to 16400 or 4112 bits depending upon whether the public exponent is less or more than 72 bits. I wouldn't have allowed this change into the security branches if I was not very very confident that no applications would be affected by this. Colin Percival
Bill Moran
2006-Sep-28 13:16 UTC
Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
In response to Colin Percival <cperciva@freebsd.org>:> Bill Moran wrote: > > Can anyone define "exceptionally large" as noted in this statement?: > > > > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by > > prohibiting the use of exceptionally large public keys. It is believed > > that no existing applications legitimately use such key lengths as would > > be affected by this change." > > > > It would be nice if "exceptionally large" were replaced with "keys in > > excess of x bits in size" or something. I don't expect that this will > > affect me, but ambiguous statements like that make me uncomfortable. > > DH and DSA are limited to 10000 bits. RSA is limited to 16400 or 4112 bits > depending upon whether the public exponent is less or more than 72 bits. > > I wouldn't have allowed this change into the security branches if I was not > very very confident that no applications would be affected by this. > > Colin PercivalI'm not questioning your ability to make these decisions, Colin. Far, far from it. I'm the type that is made uncomfortable by any statement that reads _anything_ like "don't worry, we've taken care of it." Take that email as two separate statements: 1) I'm curious as to exactly how big "exceptionally large" is. 2) I think this security advisory could be improved by including the answer to #1. Thanks for the quick response, and all the work you do. -- Bill Moran Collaborative Fusion Inc.
Apparently Analagous Threads
- iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
- FreeBSD Security Advisory FreeBSD-SA-06:25.kmem
- RELENG_6_2 EoL Date?
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl [REVISED]