On Tue, Dec 24, 2013 at 01:16:33AM +0100, [email protected] wrote:
> > Deploying digests beyond SHA1 will cause interoperability problems
> > with systems that don't yet support the SHA2 family
>
> Are you aware of systems / mailservers which would have a
> problem with it?
Yes. Any OpenSSL based MTA, with OpenSSL older April 7 2010:
OpenSSL_1_0_0-stable (first released as OpenSSL 1.0.0a):
commit acc9938ba5aa32fc382399e9a8cbd3a0dea91b34
Author: Dr. Stephen Henson <[email protected]>
Date: Wed Apr 7 13:18:30 2010 +0000
Add SHA2 algorithms to SSL_library_init(). Although these aren't used
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
OpenSSL_0_9_8-stable (first released as OpenSSL 0.9.8o):
commit bc06baca76534abc2048a3ac4d109b144da4b706
Author: Dr. Stephen Henson <[email protected]>
Date: Wed Apr 7 13:19:48 2010 +0000
Add SHA2 algorithms to SSL_library_init(). Although these aren't used
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
The symptom would be that your certificate chain is not verifiable,
verify error:num=7:certificate signature failure
which rather makes all those sha256 signatures pointless, since
the whole certificate cannot be verified.
> I am aware of the ironically domain below, but given that the NSA not only
> works on break into foreign systems but also protect US infracsturucture
> they may have a good reason to state 3072 Bit for AES128
>
> http://www.nsa.gov/business/programs/elliptic_curve.shtml
The NIST (and/or NSA) recommended key sizes are for an ideal world
without interoperability issues and implementation constraints.
In the real world, you sometimes get better security from less
ideal but more practical configurations.
--
Viktor.
