David Newall
2019-Dec-28 02:31 UTC
Settable minimum RSA key sizes on the client end for legacy devices.
On 27/12/19 6:16 pm, Philipp Marek wrote:>> I fully agree with Steve here, and dislike developers' attitude of "We >> know what's good for you, and since you don't/can't have a clue - we >> won't trust you with decisions". > > Well, I'm on the developers' side. > They need to produce a product that _now_ gets installed in some > embedded device and is expected to be still secure in 15 years and > longer - as this thread proves.What this thread proves is that we didn't make a SSH that was secure for 15 years.?? We did attempt to break old systems; how rude of us.?? We shouldn't do that.>> Minimal key size should have a "reasonable" default, and an explicit >> config parameter to override it and set to whatever value that >> *specific* installation needs. > > No, that's too easy.It's not a bad idea.> I've seen too many decisions made on such a basis - "just configure > security down until it works" - but these invariably lead to disaster.Hyperbole much??? No need for...> Well, like a parent they try to save you from bad decisions....arrogance.