From owner-freebsd-stable@freebsd.org Mon Aug 8 18:17:50 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 927F1BB23F5; Mon, 8 Aug 2016 18:17:50 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5AB551E25; Mon, 8 Aug 2016 18:17:50 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-it0-f50.google.com with SMTP id u186so80673316ita.0; Mon, 08 Aug 2016 11:17:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=dOjG/Fva8By73eDR91aTZo+wB1or0EtJ1/LBnBeEHuU=; b=Xyjeb1Vei/POrOMmHcvECLi86JGbIZ986dIRp++9NhKkHqT1s9plTEYazjbc7WUKmM jpKfOZGzGHbwzMIf4LXR71ggTdKrv13DnAfYRTcB4KuYoILo16KDLPe5e5qnYP56aQNv Tn+YmAJzV8JhHblzTtqrlGdo2pvlXP8evVkfcgZbsPtZiIzbH7fnapP3qXWWqmk4831k FAb3AUB+wtEFuZMhvhM96tZap/t9dOb6UVqi/tcVSWsngwF43dROJuQkiZKIQp60OH0t q4YZJGVG44W9Ka1O9yDi1+B4e2S58GAZUo7CtI/Ymn8N5DX24MZZItcabM3PV/N53eRP SzDg== X-Gm-Message-State: AEkooutlwDcP4JTuydBti4W6bNW2z6mszVwXATkwoNzKcxW//xGs1V05gHXEFPMwy7jLqQ== X-Received: by 10.36.34.145 with SMTP id o139mr20292888ito.11.1470680269481; Mon, 08 Aug 2016 11:17:49 -0700 (PDT) Received: from mail-io0-f182.google.com (mail-io0-f182.google.com. [209.85.223.182]) by smtp.gmail.com with ESMTPSA id 140sm10683542itl.4.2016.08.08.11.17.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Aug 2016 11:17:49 -0700 (PDT) Received: by mail-io0-f182.google.com with SMTP id m101so365021350ioi.2; Mon, 08 Aug 2016 11:17:49 -0700 (PDT) X-Received: by 10.107.28.11 with SMTP id c11mr111350827ioc.7.1470680268947; Mon, 08 Aug 2016 11:17:48 -0700 (PDT) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 10.36.122.208 with HTTP; Mon, 8 Aug 2016 11:17:48 -0700 (PDT) In-Reply-To: <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> References: <20160805015918.GI43509@FreeBSD.org> <86CE9314-487D-4D63-8CE1-34F167765EC5@freebsd.org> From: Conrad Meyer Date: Mon, 8 Aug 2016 11:17:48 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0 To: Devin Teske Cc: Glen Barber , FreeBSD Current , freebsd-stable@freebsd.org, freebsd-announce@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 18:17:50 -0000 The OpenSSH defaults are intentionally sane. RSA 2048 is anticipated to be fine for the next 10 years. It would not be a bad choice. I'm not aware of any reason not to use EC keys, and presumably the openssh authors wouldn't ship them as an option if they knew of any reason to believe they were compromised. Best, Conrad On Mon, Aug 8, 2016 at 10:56 AM, Devin Teske wrote: > Which would you use? > > ECDSA? > > https://en.wikipedia.org/wiki/Elliptic_curve_cryptography > > "" In the wake of the exposure of Dual_EC_DRBG as "an NSA undercover oper= ation", cryptography experts have also expressed concern over the security = of the NIST recommended elliptic curves,[31] suggesting a return to encryptio= n based on non-elliptic-curve groups. "" > > Or perhaps RSA? (as des@ recommends) > > (not necessarily to Glen but anyone that wants to answer) > -- > Devin > > >> On Aug 4, 2016, at 6:59 PM, Glen Barber wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, >> and will be deprecated effective 11.0-RELEASE (and preceeding RCs). >> >> Please see r303716 for details on the relevant commit, but upstream no >> longer considers them secure. Please replace DSA keys with ECDSA or RSA >> keys as soon as possible, otherwise there will be issues when upgrading >> from 11.0-BETA4 to the subsequent 11.0 build, but most definitely the >> 11.0-RELEASE build. >> >> Glen >> On behalf of: re@ and secteam@ >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJXo/L2AAoJEAMUWKVHj+KTG3sP/3j5PBVMBlYVVR+M4PUoRJjb >> kShIRFHzHUV9YzTIljtqOVf/f/mw3kRHA4fUonID5AJlo23ht9cwGOvGUi5H3lBK >> rnL9vsU9lvZoGyaHLpR/nikMOaRTa8bl1cdpULlEGH94HEzDuLT92AtAZ5HtdDEl >> GcXRfTe3eGOaxcqNSF8NKSMQQ8rzbKmsgsa5Cbf0PYToemn3xyPAr+9Nz8tbSrlR >> TrrFhzOR6+Ix0NcYJAKs6RUZ2kgbAheYF6nQmAHlJzyBihlfdfieJdysqNwSOQ8u >> c7CyBLNFrGKqYTDVQI36MUwoyVtEqbOjt3cPitsMsD3fVAf05H7dHp/0iqrUghUs >> 60HYOjfmvZxH5wvhEPdv/wPLAZeosdQgW8np3Y5cztw7cxZXF+PxoMjRcnXVpQ2c >> QIZg3RsiQmJtAT4Z2OuvYikqGzrpsVido0um/KMM9b82XilJExxPPzgEpXCK3CE8 >> 7TchzrRA/W27eST4VXoNYrrMlmpavur1IxvMS54fBOu98efTIoER6uJc1t7qcL6r >> mEVmBoMqecg+auuWqz50Bh8K329dlYuGLMbk/Ktc3agXtpkw88ylDmC6l5N7qrnL >> kSb4i3DboU7R1cltiin3c/P+ahwfKQdNH18QbN3utJuzSSRVvXq4laUGFlRhWEEx >> bLbbH2fh5bxDmDXDMdCF >> =3DLLtP >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.o= rg" > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= "