[gnutls-devel] GnuTLS | certtool --sec-param high generates a smaller key than expected (#1320)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Feb 10 10:40:02 CET 2022

Daniel Lublin commented:

I read the code in `src/certtool-common.c` and `lib/algorithms/secparams.c`.

The functions used to find and (based on passed bits) suggest a named sec-param classifies `3072 >= bits < 8192` as "High". But "High" is precisely 3072 bits when passed as sec-param. So user passed 4096 bits, but is suggested to pass something which gives 3072 bits instead. That's really not helpful.

One could imagine trying to make the suggestion better, adding more complexity to this code. But what should it do -- avoid suggesting a sec-param if passed bits is "well above" a particular sec-param? Or suggest the next higher sec-param? Which in this case would be "Ultra" at 8192 bits.

I really don't know anything about the rationale behind sec-param. Perhaps the suggestion of "High" here is by design. But my gut feeling says different. Rather than making this more complex, I'd vote for removing the suggestion alltogether (or perhaps reverting to the previous version, which just suggested that --sec-param be used instead of --bits).

Pinging @nmav touched this code last.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1320#note_838307540
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220210/99ffa037/attachment.html>

More information about the Gnutls-devel mailing list