From owner-freebsd-security  Tue Sep  3 14:52:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5120537B405
	for <freebsd-security@FreeBSD.ORG>; Tue,  3 Sep 2002 14:52:45 -0700 (PDT)
Received: from fubar.adept.org (fubar.adept.org [63.147.172.249])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1947443E65
	for <freebsd-security@FreeBSD.ORG>; Tue,  3 Sep 2002 14:52:41 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by fubar.adept.org (Postfix, from userid 1001)
	id 73D33154AF; Tue,  3 Sep 2002 14:50:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by fubar.adept.org (Postfix) with ESMTP
	id 717921527E; Tue,  3 Sep 2002 14:50:23 -0700 (PDT)
Date: Tue, 3 Sep 2002 14:50:23 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Michael W Mitton <mmitton@hmcon.com>,
	<freebsd-security@FreeBSD.ORG>, <tech-security@netbsd.org>,
	<misc@openbsd.org>
Subject: Re: 1024 bit key considered insecure (sshd)
In-Reply-To: <87lm6onqj2.fsf@snark.piermont.com>
Message-ID: <20020903144039.I49215-100000@fubar.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 30 Aug 2002, Perry E. Metzger wrote:
> Michael W Mitton <mmitton@hmcon.com> writes:
> > My data may not be worth a billion dollars, but I can be fairly certain
> > that I am part of a group ( a rather _large_ group ) whose combined
> > information is worth that.

If you're not paranoid enough to have already upgraded to larger keys (and
dealt with the specific challenges that may present for your
organization), then you likely do not need larger keys.

As for the organiztions that can afford to spend billions of dollars to
crack our keys (although they'd likely spend much less, since they'd
fabricate their own systems), the present paranoia warrenting disdain over
1024 bit keys must also point to the possibility that they've been able to
crack our keys long before now.

Weigh the value of your organization's core assets, and take appropriate
action.  Nothing has really changed simply because an email was sent to
Bugtraq.  The same risks present today were in some way present last year,
or as far back as your paranoia dictates.

I'm not sure who cross-posted to so many lists.  My apologies if this
isn't appropriate to any included targets.  I intend this message for
freebsd-security, but do not like to delete/alter To/CC lists in threads I
did not start.

Later,
-Mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message