Closed Bug 134156 Opened 23 years ago Closed 14 years ago

lower limit for valid public key lengths in SSL et al.

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 134735

People

(Reporter: decoy, Unassigned)

References

Details

In light of Berstein's recent paper on improving NFS factoring, it would seem short keylengths (384,512 bits) in RSA can hardly be thought of as being safe. Still, Verisign appears willing to sign such keys. Considering this, it would be a Good Thing if one could set the various RSA-based protocols in Mozilla to reject keys below a certain minimum size (treat them as invalid, or warni about them otherwise). Quoting Len Sassaman on cypherpunks: "On the client side, Internet browsers should have a mechanism for specifying the minimum key size that a user is willing to accept to secure his TLS/SSL connection. Not offering this as a standard feature, with sane defaults, is downright negligent. Both Netscape/Mozilla and Microsoft appear guilty of this." I think this is one more possibility of getting ahead Microsoft, with minimal trouble. ;)
Assigned the bug to Nelson.
Assignee: wtc → nelsonb
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is really a mozilla/PSM request, not an NSS request. Policy decisions about the acceptability of a certificate are outside the scope of the SSL protocol (except as required by export regulations of old). It's really up to the application to determine and enforce its own policies. NSS provides the tools that the application can use for this. LibSSL calls a callback (implemented and provided by the application) to determine whether the cert(s) provided by the server are acceptable to the application, or not. LibNSS provides functions that the application can call to validate the certs and cert chains, and to inspect the components of the certs (e.g. key size, key type, etc.). So, I submit that the requestor is actually proposing that mozilla/PSM should have a new policy regarding minimum RSA key sizes, and should enforce that policy for SSL. I believe that NSS already provides all the necessary tools for Mozilla to do this. If the submittor agrees, please change this bug to be an ehnahcement request for PSM.
Based on what's been said, agreed. I seem to have a lot to learn about Mozilla internals, still. ;) Changing program to PSM, aiming for the daemon.
Component: Libraries → Daemon
Product: NSS → PSM
reassigning to PSM manager
Assignee: nelsonb → ssaux
OS: Windows NT → All
QA Contact: sonja.mirtitsch → bishakhabanerjee
Changed the QA contact to Bishakha.
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Bug 134735 addresses UI for SSL. Bug 235972 addresses the keygen tag.
Component: Daemon → Client Library
Depends on: 134735, 235972
Product: PSM → Core
QA Contact: bishakhabanerjee → ui
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.