Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2006 06:33:18 -0700
From:      Colin Percival <cperciva@freebsd.org>
To:        Bill Moran <wmoran@potentialtech.com>
Cc:        freebsd security <freebsd-security@freebsd.org>, questions@freebsd.org
Subject:   Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
Message-ID:  <451BCF1E.2070609@freebsd.org>
In-Reply-To: <20060928092437.4a4923a7.wmoran@potentialtech.com>
References:  <20060928092437.4a4923a7.wmoran@potentialtech.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Bill Moran wrote:
> Can anyone define "exceptionally large" as noted in this statement?:
> 
> "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by
> prohibiting the use of exceptionally large public keys.  It is believed
> that no existing applications legitimately use such key lengths as would
> be affected by this change."
> 
> It would be nice if "exceptionally large" were replaced with "keys in
> excess of x bits in size" or something.  I don't expect that this will
> affect me, but ambiguous statements like that make me uncomfortable.

DH and DSA are limited to 10000 bits.  RSA is limited to 16400 or 4112 bits
depending upon whether the public exponent is less or more than 72 bits.

I wouldn't have allowed this change into the security branches if I was not
very very confident that no applications would be affected by this.

Colin Percival



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?451BCF1E.2070609>