To: | krb5-bugs@MIT.EDU |
Subject: | allow dh_min_bits >= 1024 |
From: | Tom Yu <tlyu@MIT.EDU> |
Date: | Fri, 05 Apr 2013 21:10:48 -0400 |
Windows 7 clients apparently offer the 1024-bit Oakley MODP group, and
might have some trouble with Diffie-Hellman parameter counterproposals
by the KDC. Allowing dh_min_bits to be 1024 (but not by default)
should allow these clients to do PKINIT successfully (if combined with
the "missing q parameter" interop workaround). Arguably, 1024 bits is
too weak for modern usage, but SP800-57 says it's equivalent to 80
bits of security, and we still allow administrators to configure
single-DES, which is weaker.
We should still investigate the underlying interop problem, though.
might have some trouble with Diffie-Hellman parameter counterproposals
by the KDC. Allowing dh_min_bits to be 1024 (but not by default)
should allow these clients to do PKINIT successfully (if combined with
the "missing q parameter" interop workaround). Arguably, 1024 bits is
too weak for modern usage, but SP800-57 says it's equivalent to 80
bits of security, and we still allow administrators to configure
single-DES, which is weaker.
We should still investigate the underlying interop problem, though.