[Ach] macosx and certificates > 4096bit

Hanno Böck hanno at hboeck.de
Thu Apr 17 09:50:14 CEST 2014


On Fri, 11 Apr 2014 14:04:01 +0200
Adi Kriegisch <adi at kriegisch.at> wrote:

> Just a note to anyone who runs into this issue which is still not
> fixed with recent versions (10.9.2) of MacOSX: OSX cannot handle
> certificates
>  >4096bit out of the box.

Many Crypto-Implementations don't support that.
NSS has some code to block such keys, too.

The reason is Denial of Service. You don't want an attacker to be able
to give you an insane math problem and disable your software.

Basically, you can expect that 2048 bit RSA is pretty safe (nothing
even remotely in sight that may break it) and 4096 is thus a really
good safety margin.
The only thing you really have to fear with RSA 4096 are quantum
computers or the unlikely case of a fast factoring algorithm. But if
these happen, larger keys will probably not help a lot.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140417/fc345cfa/attachment.sig>


More information about the Ach mailing list