[gnutls-devel] overall sec_param (weakest link) for a gnutls session?

[Nikos Mavrogiannopoulos]

On 12/31/2013 12:52 AM, Matthias-Christian Ott wrote:
> It required me to find, read and translate their documents into an OpenSSL
> cipher list and to choose the key lengths accordingly. When new
> recommendations are available, I would have to repeat this procedure. I
> would prefer it if GnuTLS had a keyword BSI or something similar to
> always conform to the latest recommendation (other systems
> administrators I know who run TLS protected web sites don't even know
> what a key length or a certain cipher is (sic!) and probably wouldn't
> make any efforts to comply with the recommendations). keylength.com
> lists other recommendations of other institutions that might be
> relevant. Also GnuTLS already has some Suite B support.

Hello,
 I don't know how practical it is to have priority strings for every
possible jurisdiction. We can have though options for the major ones.
Despite the latest revelations with NSA, NIST has been leading on making
sensible recommendations and that's why I added the suiteB priority
string options. EU on the other hand has ENISA which I don't even know
if it has any recommendations or if anyone follows them. So in case you
have any suggestion for improvement on that matter please express it.

regards,
Nikos