On Thu, Jul 5, 2018 at 5:05 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > The crazy thing is that although Chrome rejects a connection to a PFS, > relatively safe (via the DLP's hardness) 1024-bit DHE server, it's perfectly > happy connecting to a far less safe (both in terms of factorability and use of > pure RSA) 1024-bit RSA server.
A 2048-bit minimum for RSA acts via the CA/Browser Forum rules: it should not be possible to get a publicly-trusted certificate with a < 2048-bit key and, if it happens, we have proportionate measures to address it. However, it's not practically possible to fix the small DHE defaults across all servers and, even if we could, that would have broken many Java clients. Thus the DHE ecosystem was poisoned and, given that DHE has been exceeded by ECDHE, it wasn't worth trying to save it. We have not (at least so far) acted to enforce a 2048-bit RSA minimum in the client as the CA/BF rules suffice for the vast, vast majority of users. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls