On Mon, Jan 9, 2012 at 8:49 PM, Jacob Appelbaum jacob@appelbaum.net wrote:
Should I make such a branch and request it for review?
I don't think this is a good idea for 0.2.3.x without data. Specifically:
* What fraction of servers on the net right now use 2048-bit RSA link keys and 2048-bit DH groups? (Or 1024 bit RSA keys and 1536-bit DH keys, etc) * How much would this slow down typical clients and servers?
From a security POV, increasing the link key modulus size of 2048 bits
doesn't seem to do anything useful. If somebody wants to decrypt an intercepted communication, the DH g^x value is what they need to solve. OTOH, if we want to stop somebody from *impersonating* a server, then using a 2048-bit link key wouldn't do any good: factoring the identity key would give equally good results.
So I think unless we can make identity keys larger, increasing link key size doesn't help. And without analysis, making the above changes on this timeframe seems like a worrying idea.
So my thought is that we should target 0.2.4.x for this kind of thing, and do it properly.
yrs,