[gnutls-devel] GnuTLS | Make RSA modulus size restrictions configurable (!1624)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Aug 9 14:15:40 CEST 2022




Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/merge_requests/1624#note_1055448801

I think we need more details on that to decide whether API is needed. Originally we intended to:
* hard-disable verifying / signing with <2k RSA keys in FIPS mode
* soft-disable <2k RSA keys through crypto-policies for more than just TLS through some future configuration file option

Now, we are doing something like:
* there is no hard-disablement
* `min-rsa-size` option is provided to soft-disable RSA keys through crypto-policies (though it might not be mapped 1:1 to a specific crypto-policies keyword)
* FIPS service indicator reports the usage of <2k RSA keys as non-approved in signature generation; this limitation is hard-coded in the library
* FIPS service indicator reports the usage of <2k except 1024, 1280, 1536, 1792 RSA keys as non-approved in signature verification; this limitation is hard-coded in the library

So if we set `min-rsa-size` to the current status quo (1K?), I suspect the requirements from both FIPS and DNSSEC might be already satisfied.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1624#note_1055448801
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220809/c6a45da7/attachment-0001.html>


More information about the Gnutls-devel mailing list