Re: Longterm crypto support

2013-12-17 Thread helpcrypto helpcrypto
Probably im lost in the translation. Some of our users still have 1024 RSA certificates which they use for HTTPS client auth or signing documents. Are you suggesting to stop supporting/allowing this certificates? If yes, i supose you will change low level to 2048 on , isnt it? On Sun, Dec 15, 2

Re: Longterm crypto support

2013-12-16 Thread Robert Relyea
On 12/14/2013 06:28 PM, Brian Smith wrote: > Kurt, > > Thanks for your suggestions. > > On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx wrote: > >> I think we need to come up with a plan to improve security in the >> long run. I think what we would like to see in general is: >> - Only SHA256 or bet

Re: Longterm crypto support

2013-12-15 Thread Kurt Roeckx
On Sat, Dec 14, 2013 at 06:28:54PM -0800, Brian Smith wrote: > Kurt, > > Thanks for your suggestions. > > On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx wrote: > > > I think we need to come up with a plan to improve security in the > > long run. I think what we would like to see in general is:

Re: Longterm crypto support

2013-12-15 Thread Kurt Roeckx
On Sat, Dec 14, 2013 at 06:28:54PM -0800, Brian Smith wrote: > > - Only 2048 bit public, 128 bit symmetric, 256 bit elliptic, or > > better. > > > > Approximately 1.5% of Fx26 full handshakes that use RSA certs use keys > smaller than 2048 bits. So, enforcing the 2048 bit limit is not going to

Re: Longterm crypto support

2013-12-14 Thread Brian Smith
Kurt, Thanks for your suggestions. On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx wrote: > I think we need to come up with a plan to improve security in the > long run. I think what we would like to see in general is: > - Only SHA256 or better (and so TLS 1.2) > This is gated almost purely on

Re: Longterm crypto support

2013-12-14 Thread falcon
) To: mozilla's crypto code discussion list Subject: Re: Longterm crypto support I'm not sure how widely EV is recognized.  I'm pretty sure that almost nobody can tell the difference between blue and green, which now seems to be hidden until you click, or that there is that t

Re: Longterm crypto support

2013-12-14 Thread Kurt Roeckx
On Sat, Dec 14, 2013 at 01:12:23PM -0800, falcon wrote: > While it is lovely to encrypt all the things with the strongest encryption > available, I really don't think it is necessary to remove support for > everything that is weak.  This tends to make people refuse to upgrade, > particularly if

RE: Longterm crypto support

2013-12-14 Thread falcon
op working shouldn't be the next step, even if you do allow 5 years. Original message From: Kurt Roeckx Date: 12/14/2013 12:46 (GMT-08:00) To: dev-tech-crypto@lists.mozilla.org Subject: Longterm crypto support Hi, I think we need to come up with a plan to improve security

Longterm crypto support

2013-12-14 Thread Kurt Roeckx
Hi, I think we need to come up with a plan to improve security in the long run. I think what we would like to see in general is: - Only SHA256 or better (and so TLS 1.2) - Only 2048 bit public, 128 bit symmetric, 256 bit elliptic, or better. - Drop support for RC4 and DES (leaving AES, camellia