On Tue, 11 Nov 2014 13:32:01 +0100, Manuel Pégourié-Gonnard wrote: > On 11/11/2014 12:50, Pierre Ossman wrote: > > TBH, I've never gotten a good grasp on what a good security policy is with > > regard to DH params. Some have pregenerated values, but I also see > > references that they should be regenerated every few hours/days/etc. > > > > Got any insight to share? > > > The DH params (ie: prime and generator) can totally be static. There are even > RFCs defining standardising values for them (3526, 5114, maybe more). > > The thing that should be regenerated regularly (ideally every key exchange, > for truly ephemeral DH) is your private-public DH key pair. >
Is that done by GnuTLS implicitly? I don't see anything in our use of GnuTLS that generates such things even once. Rgds -- Pierre Ossman Software Development Cendio AB https://cendio.com Teknikringen 8 https://twitter.com/ThinLinc 583 30 Linköping https://facebook.com/ThinLinc Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
