[Operators] Please enable Forward Secrecy for your servers!

Mathias Ertl mati at fsinf.at
Mon Jul 27 20:36:50 UTC 2015


I think we have a misunderstanding here:

On 2015-07-27 22:28, Patrick Beisler wrote:
> why not allow 2048 for now with the prerequisite that all server may
> move to 4096, if we can actually agree on it. Some people may also need
> to purchase new certs anyways, so at least they have a heads up.
> but that's just me.. I just had a 2048 last year before renewing and
> just so happened to do 4096. (as an example)

No one is trying to forbid 2048 bit certificates. I described 4096 bit
certs as "best practice". So when you get a new one, I think you should
get a 4096 bit cert ;-). My original post tried to get a momentum
towards ubiquitous Forward Secrecy, a different issue.

greetings, Mati


-- 
twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150727/b0a6d30d/attachment.bin>


More information about the Operators mailing list