[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 12:04:25 CDT 2008


"Eric Rescorla" <ekr at rtfm.com> wrote:

> To sharpen this point a little:
> If you're using Diffie-Hellman, the cost of computing ZZ (the shared
> key) is rather higher than the cost of generating your own key out of
> a known group. Similarly, the cost of generating a DSA key out of a
> known group is quite low. In other words, if the cost of initial key
> generation at installation time is unacceptable, then you most likely
> can't do asymmetric cryptography to establish connections either.

Well, DH on that machine never took an hour :).
It might as well be a bug in GNUTLS, though.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/eb4a36c1/attachment.pgp 


More information about the Security mailing list