First draft of pkinit plugin code now in Subversion

Olga Kornievskaia aglo at
Mon Nov 27 12:29:18 EST 2006

Olga Kornievskaia wrote:
>> I'm concerned that the code uses a 1024-bit DH group and there seems
>> to be no way to change this. 
> as far as i know 1024-bit group is not weak.
i'd like to take it back. i found a posting by Russ Housley 
( that states: 
"Today you can fully break a 1024 DH exchange (i.e recover the DH 
keyg^xy from g^x and g^y) in something between 2^70 to 2^80 operations. 
Thus, by using a 1024-bit modulus you are essentially limited to no more 
than 70-80 bits of security." We should set the default group to be 2048?

More information about the krbdev mailing list