Hello all,
looking for a bit of advice as searches have not really reaped much. When we set up Djigzo's CA what would be the most client inter-operable settings to use; 2048 bits with SHA512 ? I have been led to believe that there have been issues on BlackBerrys, quite some time ago, when using 4096 bits and SHA512.
--
Thanks, Phil
Zitat von Phil Daws <uxbod(a)splatnix.net>:
Hello all,
looking for a bit of advice as searches have not really reaped much.
When we set up Djigzo's CA what would be the most client
inter-operable settings to use; 2048 bits with SHA512 ? I have been
led to believe that there have been issues on BlackBerrys, quite
some time ago, when using 4096 bits and SHA512.
- You should not create/issue certificates with less than 1024bits RSA
anymore, 2048 should be sufficient for the next 10 years
(https://wiki.mozilla.org/CA:MD5and1024)
- SHA-2 had somewhat more issues especially on older windows version
still widely used
(http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx).
Windows should be fixed today by this security update which bumps up
the crypt32.dll though: http://support.microsoft.com/kb/2641690/en
So using 2048RSA/256SHA-2 should be safe enough an at least for e-mail
understood by most clients today.
Regards
Andreas
I think the current best practice is to use 4096 with sha256 for the
root and intermediate(s) and 2048 with sha256 for end user certificates.
Kind regards,
Martijn
On 08/06/2012 02:44 PM, Phil Daws wrote:
Hello all,
looking for a bit of advice as searches have not really reaped much. When we set up Djigzo's CA what would be the most client inter-operable settings to use; 2048 bits with SHA512 ? I have been led to believe that there have been issues on BlackBerrys, quite some time ago, when using 4096 bits and SHA512.
--
DJIGZO email encryption
Zitat von Martijn Brinkers <martijn(a)djigzo.com>:
Hello all,
looking for a bit of advice as searches have not really reaped
much. When we set up Djigzo's CA what would be the most client
inter-operable settings to use; 2048 bits with SHA512 ? I have been
led to believe that there have been issues on BlackBerrys, quite
some time ago, when using 4096 bits and SHA512.I think the current best practice is to use 4096 with sha256 for the
root and intermediate(s) and 2048 with sha256 for end user certificates.
It might also depend on the target. For e-Mail it should be ok as long
as most of the users has powerful devices (PC alike). With handhelds
as primary target it could already matter if the keysize is "too big"
as the time needed is non linear
(http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml).
On the other hand e-mail is not a that sensitiv for some delay in
processing like for example https, so for advanced or long term
security it is reasonable to go for 4096/2048bits. A quick glance on
the root CAs issued after ~2005 in our Gateway keystore lead to around
one-third with 4096 and two-third with 2048 and some minority still at
1024 bits RSA. So if the somewhat bigger CAs use 4096 bits it should
be no problem from interoperable point of view.
So +1 for Martijn's suggestion
Regards
Andreas
On 08/06/2012 02:44 PM, Phil Daws wrote:
Appreciated.
--
Thanks, Phil
----- Original Message -----
On 08/06/2012 02:44 PM, Phil Daws wrote:
> Hello all,
>
> looking for a bit of advice as searches have not really reaped
> much. When we set up Djigzo's CA what would be the most client
> inter-operable settings to use; 2048 bits with SHA512 ? I have
> been led to believe that there have been issues on BlackBerrys,
> quite some time ago, when using 4096 bits and SHA512.
>I think the current best practice is to use 4096 with sha256 for the
root and intermediate(s) and 2048 with sha256 for end user
certificates.Kind regards,
Martijn
--
DJIGZO email encryption_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users