From owner-freebsd-security@FreeBSD.ORG Thu Sep 28 13:46:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A80B16A40F; Thu, 28 Sep 2006 13:46:28 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from internet.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id E69FE43D6B; Thu, 28 Sep 2006 13:46:27 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from vanquish.pgh.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 1F13B69A22; Thu, 28 Sep 2006 09:46:27 -0400 (EDT) Date: Thu, 28 Sep 2006 09:46:26 -0400 From: Bill Moran To: Colin Percival Message-Id: <20060928094626.012b930c.wmoran@potentialtech.com> In-Reply-To: <451BCF1E.2070609@freebsd.org> References: <20060928092437.4a4923a7.wmoran@potentialtech.com> <451BCF1E.2070609@freebsd.org> X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 28 Sep 2006 20:16:12 +0000 Cc: freebsd security , questions@freebsd.org Subject: Re: Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:23.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 13:46:28 -0000 In response to Colin Percival : > Bill Moran wrote: > > Can anyone define "exceptionally large" as noted in this statement?: > > > > "NOTE ALSO: The above patch reduces the functionality of libcrypto(3) by > > prohibiting the use of exceptionally large public keys. It is believed > > that no existing applications legitimately use such key lengths as would > > be affected by this change." > > > > It would be nice if "exceptionally large" were replaced with "keys in > > excess of x bits in size" or something. I don't expect that this will > > affect me, but ambiguous statements like that make me uncomfortable. > > DH and DSA are limited to 10000 bits. RSA is limited to 16400 or 4112 bits > depending upon whether the public exponent is less or more than 72 bits. > > I wouldn't have allowed this change into the security branches if I was not > very very confident that no applications would be affected by this. > > Colin Percival I'm not questioning your ability to make these decisions, Colin. Far, far from it. I'm the type that is made uncomfortable by any statement that reads _anything_ like "don't worry, we've taken care of it." Take that email as two separate statements: 1) I'm curious as to exactly how big "exceptionally large" is. 2) I think this security advisory could be improved by including the answer to #1. Thanks for the quick response, and all the work you do. -- Bill Moran Collaborative Fusion Inc.