Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

From: Conrad Meyer <cem_at_freebsd.org>
Date: Mon, 8 Aug 2016 11:17:48 -0700
The OpenSSH defaults are intentionally sane.  RSA 2048 is anticipated
to be fine for the next 10 years.  It would not be a bad choice.  I'm
not aware of any reason not to use EC keys, and presumably the openssh
authors wouldn't ship them as an option if they knew of any reason to
believe they were compromised.

Best,
Conrad

On Mon, Aug 8, 2016 at 10:56 AM, Devin Teske <dteske_at_freebsd.org> wrote:
> Which would you use?
>
> ECDSA?
>
> https://en.wikipedia.org/wiki/Elliptic_curve_cryptography <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography>
>
> "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover operation", cryptography experts have also expressed concern over the security of the NIST recommended elliptic curves,[31] <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31> suggesting a return to encryption based on non-elliptic-curve groups. ""
>
> Or perhaps RSA? (as des_at_ recommends)
>
> (not necessarily to Glen but anyone that wants to answer)
> --
> Devin
>
>
>> On Aug 4, 2016, at 6:59 PM, Glen Barber <gjb_at_FreeBSD.org> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH,
>> and will be deprecated effective 11.0-RELEASE (and preceeding RCs).
>>
>> Please see r303716 for details on the relevant commit, but upstream no
>> longer considers them secure.  Please replace DSA keys with ECDSA or RSA
>> keys as soon as possible, otherwise there will be issues when upgrading
>> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the
>> 11.0-RELEASE build.
>>
>> Glen
>> On behalf of: re_at_ and secteam_at_
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb
>> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK
>> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl
>> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR
>> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u
>> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs
>> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c
>> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8
>> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r
>> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL
>> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx
>> bLbbH2fh5bxDmDXDMdCF
>> =LLtP
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> freebsd-announce_at_freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-announce
>> To unsubscribe, send any mail to "freebsd-announce-unsubscribe_at_freebsd.org"
>
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
Received on Mon Aug 08 2016 - 16:17:50 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:07 UTC