[nycbug-talk] RSA/DSA for encryption: has it's time come?

Brian Callahan bcallah at devio.us
Tue Aug 27 19:29:16 EDT 2013

On 8/27/2013 7:24 PM, George Rosamond wrote:
> Okan Demirmen:
>> On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy
>> <ike at blackskyresearch.net> wrote:
>>> Hi All,
>>> I'd love to know what people's thoughts are on the state of older
>>> RSA/DSA encryption, versus the future of eliptic curve ECDSA:
>>> http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
>>> --
>>> A few years ago, a number of us were wary of the brand-spankin'-new ECC
>>> crypto for use in SSH public keys.  And then months later, there were
>>> some ECDSA/ssh implementation problems exposed:
>>> http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2
>>> So, that was 2 years ago, ECDSA implementations are now no longer in
>>> their infancy.
>>> --
>>> What are people's thoughts on the practicality of starting to use ECDSA
>>> keys?
>>> Has anyone here seen their use mandated over RSA/DSA in a business setting?
>>> Has anyone just jumped into ECDSA bliss, and not looked back?
>> Not that this might mean much, but I use them.
>> As for policies in a business setting; I gather such technical
>> policies are made by people like you, so it's likely up to what folks
>> like you write in said policies :)
> So I'm in the process of getting a client to pickup better practices
> with SSH, and found out even OSX 10.7.5 doesn't support ecdsa.
> AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either.

(slightly off-topic but...)

Don't forget to make sure to update your Putty is up-to-date with the 
version released earlier this month, as it fixes 4 security holes!

All this other discussion is for naught if we're running insecure 
clients (and servers)!


More information about the talk mailing list