<div class="gmail_quote">2011/2/13 Jean-Yves F. Barbier <span dir="ltr"><<a href="mailto:12ukwn@gmail.com">12ukwn@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
On Sun, 13 Feb 2011 22:21:10 +0100, Ludolf Holzheid<br>
<div class="im"><<a href="mailto:lholzheid@bihl-wiedemann.de">lholzheid@bihl-wiedemann.de</a>> wrote:<br>
<br>
<br>
<br>
</div><div class="im">> On Sat, 2011-02-12 14:32:19 +0100, Jean-Yves F. Barbier wrote:<br>
> > [..]<br>
> ><br>
> > Hmmm, so it looks like may the entropy may be higher with 2 different keys.<br>
><br>
> Yes, but if this was more than a hypothetical problem, there would be<br>
> a counter for uses of the key and a recommendation to use a new key<br>
> after a certain number of uses.<br>
<br>
</div>For my own security, keys are rotated on a monthly basis.<br></blockquote><div> </div><div>Yes and, of course, you are sure that your random generator is better than the debian one before may 2008... <br><br></div>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im"><br>
> Think of how many times the web<br>
> banking servers use their key ...<br>
<br>
</div>I totally agree with this.<br>
<div class="im"><br>
> Don't be too concerned about that.<br>
<br>
</div>Yes, I am, because it is not the bank interests I protect, but mine!<br>
<br>
The advantage of this question is it forced me to read more about openssl,<br>
and now I think I'm gonna do it by the rules: separating every parts into<br>
different files because the exercice is interesting and also because I'll soon<br>
need to configurate a larger network of clients.<br>
<br>
However, openssl lacks *real long term* security features (why signing into<br>
sha1 instead of sha384 or sha512 when it is quite surely already broken by gov<br>
Sces?), and is also somehow suspect (remember the 1 line bug that have lasted<br>
for a looong time? After disclosure it was fixed but not a word from<br>
the team about it and not a line in the changelog too......)<br></blockquote><div><br>Do you REALLY think that a brute force attack is what someone would use to gain access to YOUR data ? <br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
What I also wouldn't like is somebody record the whole connexion and decode it<br>
several years after, once the computer farms power is high enough.<br></blockquote><div><br>ever heard of 'forward secrecy' ? (<a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>)<br>
</div></div>