Comparison

mod_s2s_keysize_policy/README.markdown @ 1895:101078d9cc27

mod_s2s_keysize_policy: Add a README
author Kim Alvefur <zash@zash.se>
date Sun, 04 Oct 2015 23:24:19 +0200
comparison
equal deleted inserted replaced
1894:93c5479c6f2f 1895:101078d9cc27
1 ---
2 summary: Distrust servers with too small keys
3 ...
4
5 Introduction
6 ============
7
8 This module sets the security status of s2s connections to invalid if
9 their key is too small and their certificate was issued after 2014, per
10 CA/B Forum guidelines.
11
12 Details
13 =======
14
15 Certificate Authorities were no longer allowed to issue certificates
16 with public keys smaller than 2048 bits (for RSA) after December 31
17 2013. This module was written to enforce this, as there were some CAs
18 that were slow to comply. As of 2015, it might not be very relevant
19 anymore, but still useful for anyone who wants to increase their
20 security levels.
21
22 When a server is determined to have a "too small" key, this module sets
23 its chain and identity status to "invalid", so Prosody will treat it as
24 a self-signed certificate istead.
25
26 "Too small"
27 -----------
28
29 The definition of "too small" is based on the key type and is taken from
30 [RFC 4492].
31
32 Type bits
33 ------ ------
34 RSA 2048
35 DSA 2048
36 DH 2048
37 EC 233
38
39 Compatibility
40 =============
41
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19).