[tor-dev] Extending deadline for small features in 0.2.3.x by one week (to the 13th)

Nick Mathewson nickm at alum.mit.edu
Tue Jan 10 02:01:50 UTC 2012

On Mon, Jan 9, 2012 at 8:49 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Should I make such a branch and request it for review?

I don't think this is a good idea for 0.2.3.x without data.  Specifically:

   * What fraction of servers on the net right now use 2048-bit RSA
link keys and 2048-bit DH groups?  (Or 1024 bit RSA keys and 1536-bit
DH keys, etc)
   * How much would this slow down typical clients and servers?

>From a security POV, increasing the link key modulus size of 2048 bits
doesn't seem to do anything useful.  If somebody wants to decrypt an
intercepted communication, the DH g^x value is what they need to
solve.  OTOH, if we want to stop somebody from *impersonating* a
server, then using a 2048-bit link key wouldn't do any good: factoring
the identity key would give equally good results.

So I think unless we can make identity keys larger, increasing link
key size doesn't help.  And without analysis, making the above changes
on this timeframe seems like a worrying idea.

So my thought is that we should target 0.2.4.x for this kind of thing,
and do it properly.


More information about the tor-dev mailing list