From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-155239-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 183B1138A1F
	for <garchives@archives.gentoo.org>; Sun, 20 Apr 2014 23:21:20 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2A34AE099B;
	Sun, 20 Apr 2014 23:21:11 +0000 (UTC)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DE9D0E0982
	for <gentoo-user@lists.gentoo.org>; Sun, 20 Apr 2014 23:21:09 +0000 (UTC)
Received: by mail-wg0-f47.google.com with SMTP id x12so2179460wgg.30
        for <gentoo-user@lists.gentoo.org>; Sun, 20 Apr 2014 16:21:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        bh=M8ON9oKkqnUVO2kGcemmdMA3XLNVdmridsRW63d8YWY=;
        b=BYNlTKsdod+m/frv699HAns2/iRbsof3jQOMKP+O6a37O5GeMh5+CSzUZEYA+ZzkvC
         BTFE4iLixFBS/IK80sZ7S8xtEtzZWhhVyAunJXmvWUMZBbUqF750vPURsse+mTMx7/Ip
         ap4hgsZsb1/2iLnUWq24ZHSMrq1z9ZqNviT5Z1iDmb21s6RCV4/47aoJd7U1Zcj6rW5t
         5Ai8C8PzbDN0/1RTLEFXEuKxgAIIHVm3qhrJXZta79j2aO+6g5byiBRLP0fcuEEjrTZ9
         WcAvgLcuTr61B5KnVY5mk+KDC1hdi9OzW/DpzmrTWss+P8crXMkGxIX5fHcO+JoD6nCd
         B5RQ==
X-Received: by 10.194.81.98 with SMTP id z2mr26177072wjx.12.1398036068127;
        Sun, 20 Apr 2014 16:21:08 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
        by mx.google.com with ESMTPSA id mw4sm12595150wib.12.2014.04.20.16.21.06
        for <gentoo-user@lists.gentoo.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Sun, 20 Apr 2014 16:21:07 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
Date: Mon, 21 Apr 2014 00:20:48 +0100
User-Agent: KMail/1.13.7 (Linux/3.12.13-gentoo; KDE/4.11.5; x86_64; ; )
References: <20140417184325.GA22082@lyseo.edu.ouka.fi> <201404191252.20412.michaelkintzios@gmail.com> <3g9vqS6Wt5z62Yt@devnoip.rootservice.org>
In-Reply-To: <3g9vqS6Wt5z62Yt@devnoip.rootservice.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart3180780.ABJ1tIa6hA";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <201404210020.49571.michaelkintzios@gmail.com>
X-Archives-Salt: df2678ae-3cd1-45b0-b6cd-baf743fc4101
X-Archives-Hash: c2df537f134ba0308bcbeb016d036c38

--nextPart3180780.ABJ1tIa6hA
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Saturday 19 Apr 2014 14:17:56 Joe User wrote:
> 3.) Even the people behind http://safecurves.cr.yp.to have no proof
>     that secp[256|384|521]r1 are unsecure, they just don't trust the
>     NIST. So that list is mostly useless and possibly untrue.

I am not knowledgeable enough in cryptanalysis or mathematics, to defend or=
=20
dispute Tanja Lange and Dan Bernstein's analysis, but their safecurves=20
evaluation criteria[1] appear logical to me and in any case better than the=
=20
undeclared reasons that NIST/NSA have chosen particular seed values to arri=
ve=20
at the secpXXX series while rejected others.

The issue of safe curves to use with TLS has also troubled the IETF TLS=20
Working Group members and they raise similar issues [2], while they try to=
=20
strike some working compromise for real world implementations - they admit=
=20
though that these recommendations are very much a temporary state until mor=
e=20
secure curves/algos show up.

I came across a draft guide on Crypto Hardening for sysadmins in the post-
Snowden era, produced by the bettercrypto.org and thought of sharing with t=
he=20
list.  I hope it is useful for people here who look after webservers and=20
applications.


  [1] http://safecurves.cr.yp.to/rigid.html
  [2] http://ftp.zut.edu.pl/mirrors/ftp.ietf.org/ietf-mail-archive/uta/2014=
=2D01.mail
  [3] https://bettercrypto.org/static/applied-crypto-hardening.pdf

=2D-=20
Regards,
Mick

--nextPart3180780.ABJ1tIa6hA
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAABAgAGBQJTVFZRAAoJELAdA+zwE4YeSLYIAL9qVI0QOB1bxJNXYL42Rdb3
Q/eiy8sAZ9MoYHhouqEPAGJos2FiurdiU3FHoiaHTXpnMTYnRF5l0CKDYmmp0ax3
PIvyE6UbmSfPtT0BVcogNQEvY8WzXTNn16Bd4nZ7jCFBGmC/nEvbCNAqGteQrwZB
5EfaSkp70UQu8/P6tmsIEp5aC30LlFw2hT+W1V+SJRHmL+fPyQJ0Njyih1HGpSl9
bmDMgKHaVitPsfRc5zXStDhpv0T3ait7Y4WZ4CrCNN3jowW0vPj7exCaIRpkdQhw
LHFKA3eIXcyETxeiWSWij5FifQZ3vjFGvWcRjlhPgOP24529rIMhdyDEgrj3HbA=
=Uyi9
-----END PGP SIGNATURE-----

--nextPart3180780.ABJ1tIa6hA--