[Operators] ECDSA certs score F

Thijs Alkemade thijs at xnyhps.nl
Wed Aug 6 09:01:59 UTC 2014


On 26 jul. 2014, at 05:18, shmick at riseup.net wrote:

> 
> hi,
> 
> i was testing an xmpp server and i believe its wrong to reduce the
> score because of the cert which is reported < 1024 bits
> 
> i think the testing backend only assumes an RSA cert, is that right ?
> 
> the server i tested is using a cert in a pure ECC chain with ECDSA 384
> and not a standard RSA cert
> 
> can you re-configure the xmpp tester to recognise ecdsa certs as not
> being low quality and grading the score to F ?
> 
> see
> 
> https://xmpp.net/result.php?id=46868
> https://xmpp.net/result.php?id=46871
> 
> the TLSA records didn't seem to be detected either
> 
> i dont know what's up with the s2s though
> 
> 

It’s still unimplemented because I didn’t have any server to test against when I set it up.

There’s also the minor issue that I’m not sure exactly how to grade ECDSA keys, but I think giving them all 100 points makes sense (equivalent to 4096 bit RSA).

Your TLSA records are for your domain, not for your SRV target. That doesn’t match draft-ietf-dane-srv.

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140806/ccf5db54/attachment.sig>


More information about the Operators mailing list