> Also, it's worth bearing in mind that the number of bits is a > distractor. All the weakness comes from elsewhere, so fiddling around > with the bits is just so much numerology that amuses NIST and numerate > managers and others. It does little for overall security.
Well it is not a distractor at all if you have a good system that cares about security such as OpenBSD or some good hardware RNG. If your point is that certifications like PCI, FIPS can mean that to comply you may actually be using a less secure system or have to reduce the security of the auth system and being in compliance is no guarantee then sure. Whilst 1024 bit has been shown to be possibly breakable by attainable hardware it is exponential so you can have confidence in 2048 bit and certainly 4096 bit as chosen by the xombrero developers web vault site (I forget the name) If I haven't covered it then perhaps you could define the weakness because as I see it lifetimes of minutes can only reduce real security because of a lack of lock down potential and being able to attack the management process and any inherent weakness will still be there and actually more likely identifiable if you have many certs to analyse not to mention the entropy wastage and likelihood of it being reduced. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security