Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory

In response to Colin Percival <cperciva@freebsd.org>:

> Bill Moran wrote:
> > Can anyone define "exceptionally large" as noted in this statement?:
> > 
> > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by
> > prohibiting the use of exceptionally large public keys.  It is believed
> > that no existing applications legitimately use such key lengths as would
> > be affected by this change."
> > 
> > It would be nice if "exceptionally large" were replaced with "keys in
> > excess of x bits in size" or something.  I don't expect that this will
> > affect me, but ambiguous statements like that make me uncomfortable.
> 
> DH and DSA are limited to 10000 bits.  RSA is limited to 16400 or 4112 bits
> depending upon whether the public exponent is less or more than 72 bits.
> 
> I wouldn't have allowed this change into the security branches if I was not
> very very confident that no applications would be affected by this.
> 
> Colin Percival

I'm not questioning your ability to make these decisions, Colin.
Far, far from it.

I'm the type that is made uncomfortable by any statement that reads
_anything_ like "don't worry, we've taken care of it."  

Take that email as two separate statements:
1) I'm curious as to exactly how big "exceptionally large" is.
2) I think this security advisory could be improved by including the
   answer to #1.

Thanks for the quick response, and all the work you do.

-- 
Bill Moran
Collaborative Fusion Inc.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"