Closed
Bug 134156
Opened 22 years ago
Closed 12 years ago
lower limit for valid public key lengths in SSL et al.
Categories
(Core Graveyard :: Security: UI, enhancement)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 134735
People
(Reporter: decoy, Unassigned)
References
Details
In light of Berstein's recent paper on improving NFS factoring, it would seem short keylengths (384,512 bits) in RSA can hardly be thought of as being safe. Still, Verisign appears willing to sign such keys. Considering this, it would be a Good Thing if one could set the various RSA-based protocols in Mozilla to reject keys below a certain minimum size (treat them as invalid, or warni about them otherwise). Quoting Len Sassaman on cypherpunks: "On the client side, Internet browsers should have a mechanism for specifying the minimum key size that a user is willing to accept to secure his TLS/SSL connection. Not offering this as a standard feature, with sane defaults, is downright negligent. Both Netscape/Mozilla and Microsoft appear guilty of this." I think this is one more possibility of getting ahead Microsoft, with minimal trouble. ;)
Comment 1•22 years ago
|
||
Assigned the bug to Nelson.
Assignee: wtc → nelsonb
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•22 years ago
|
||
This is really a mozilla/PSM request, not an NSS request. Policy decisions about the acceptability of a certificate are outside the scope of the SSL protocol (except as required by export regulations of old). It's really up to the application to determine and enforce its own policies. NSS provides the tools that the application can use for this. LibSSL calls a callback (implemented and provided by the application) to determine whether the cert(s) provided by the server are acceptable to the application, or not. LibNSS provides functions that the application can call to validate the certs and cert chains, and to inspect the components of the certs (e.g. key size, key type, etc.). So, I submit that the requestor is actually proposing that mozilla/PSM should have a new policy regarding minimum RSA key sizes, and should enforce that policy for SSL. I believe that NSS already provides all the necessary tools for Mozilla to do this. If the submittor agrees, please change this bug to be an ehnahcement request for PSM.
Reporter | ||
Comment 3•22 years ago
|
||
Based on what's been said, agreed. I seem to have a lot to learn about Mozilla internals, still. ;) Changing program to PSM, aiming for the daemon.
Component: Libraries → Daemon
Product: NSS → PSM
Updated•22 years ago
|
QA Contact: sonja.mirtitsch → bishakhabanerjee
Comment 5•22 years ago
|
||
Changed the QA contact to Bishakha.
Comment 7•20 years ago
|
||
Bug 134735 addresses UI for SSL. Bug 235972 addresses the keygen tag.
Updated•17 years ago
|
QA Contact: bishakhabanerjee → ui
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•