https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Alex Howells <alex.howells@0wn3d.us> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alex.howells@0wn3d.us
--- Comment #1 from Alex Howells <alex.howells@0wn3d.us> 2008-05-25 06:35:22 ---
I think there is a considerable disadvantage to the implementation of
this feature: users are liable assume any vulnerable key will be
detected and rejected, which is likely a false assumption :(
What certain distributions are including is not a complete list, their
utilities/patches seem to analyze the first 80-84 bits of a fingerprint
-- this is liable to give false positives, and the inclusive blacklists
only cover the most basic permutations of key, a la;
1024-bit DSA
768-bit RSA
1024-bit RSA
2048-bit RSA
As far as I am aware they don't cover 4096-bit RSA, and any user who
had generated with `ssh-keygen -b 8150 -t rsa` would not be blocked.
I think this might be a feature which needs to be maintained
externally. That way there can be good documentation showing what
permutations would be detected and users are less liable to make nasty
assumptions... Perhaps another good reason to not include this is the
'bloat factor'? It'd probably make releases considerably larger?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Alex Howells <alex.howells@0wn3d.us> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alex.howells@0wn3d.us
--- Comment #1 from Alex Howells <alex.howells@0wn3d.us> 2008-05-25 06:35:22 ---
I think there is a considerable disadvantage to the implementation of
this feature: users are liable assume any vulnerable key will be
detected and rejected, which is likely a false assumption :(
What certain distributions are including is not a complete list, their
utilities/patches seem to analyze the first 80-84 bits of a fingerprint
-- this is liable to give false positives, and the inclusive blacklists
only cover the most basic permutations of key, a la;
1024-bit DSA
768-bit RSA
1024-bit RSA
2048-bit RSA
As far as I am aware they don't cover 4096-bit RSA, and any user who
had generated with `ssh-keygen -b 8150 -t rsa` would not be blocked.
I think this might be a feature which needs to be maintained
externally. That way there can be good documentation showing what
permutations would be detected and users are less liable to make nasty
assumptions... Perhaps another good reason to not include this is the
'bloat factor'? It'd probably make releases considerably larger?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs