Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2006 09:46:26 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        Colin Percival <cperciva@freebsd.org>
Cc:        freebsd security <freebsd-security@freebsd.org>, questions@freebsd.org
Subject:   Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
Message-ID:  <20060928094626.012b930c.wmoran@potentialtech.com>
In-Reply-To: <451BCF1E.2070609@freebsd.org>
References:  <20060928092437.4a4923a7.wmoran@potentialtech.com> <451BCF1E.2070609@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
In response to Colin Percival <cperciva@freebsd.org>:

> Bill Moran wrote:
> > Can anyone define "exceptionally large" as noted in this statement?:
> > 
> > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by
> > prohibiting the use of exceptionally large public keys.  It is believed
> > that no existing applications legitimately use such key lengths as would
> > be affected by this change."
> > 
> > It would be nice if "exceptionally large" were replaced with "keys in
> > excess of x bits in size" or something.  I don't expect that this will
> > affect me, but ambiguous statements like that make me uncomfortable.
> 
> DH and DSA are limited to 10000 bits.  RSA is limited to 16400 or 4112 bits
> depending upon whether the public exponent is less or more than 72 bits.
> 
> I wouldn't have allowed this change into the security branches if I was not
> very very confident that no applications would be affected by this.
> 
> Colin Percival

I'm not questioning your ability to make these decisions, Colin.
Far, far from it.

I'm the type that is made uncomfortable by any statement that reads
_anything_ like "don't worry, we've taken care of it."  

Take that email as two separate statements:
1) I'm curious as to exactly how big "exceptionally large" is.
2) I think this security advisory could be improved by including the
   answer to #1.

Thanks for the quick response, and all the work you do.

-- 
Bill Moran
Collaborative Fusion Inc.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20060928094626.012b930c.wmoran>