View Single Post
Old 11-26-2013, 09:12 AM
mdella's Avatar
mdella mdella is offline
Registered User
Join Date: Mar 2004
Location: Scotts Valley, CA
Posts: 44
Switching our public connection policy...

Well, first a couple things... I'm only speaking for the HP Web Services group. As you know, HP is rather large and everyone is going their own different ways so its not like its a huge group you're speaking to (although us and HPCS seem to be on the forefront of much of HPs public internet directions).

As far as when, we are in the process of hand recompiling openssl and openssh to allow for ECDSA keys. Its a multistage process as we have to get the correct software on all linux boxes to begin with (meaning at this point, we have to build our own RPMs for RedHat/CentOS 6.4) then work on the key distribution system. So its a multi-month project, but just like development on your side, everything takes time :-)

I'm just trying to see if by the time we get to the end of our project, what "desktop" clients out there will be supporting our changes. Additionally something you mentioned had me a little worried as I have gone through the same process you're mentioning elsewhere. If you have to apply to the Feds for the usage of EC, then are you going to allow the use of another application to generate the keys? One of our issues is what influence is allowed in the key generation process.

So to summarize:

1. We have quite a bit of time before moving to EC (months, not weeks)
2. We have concerns of "where" EC 521-bit keys are generated and are more interested in applications that will import our keys
3. Isolation testing takes a couple weeks where we look at (from outside the program) what is being done with the keys imported


P.S. Normally we'd prefer something where we can look at the code to see whats going on, but for 95% of our users, your application is much more user friendly and not as concerning for the security aspects. Its the 5% of our operations population thats going to have to go to a code-vetted method of connection because of what they can connect to on the other side.
Marcos Della
Data Center Cloud Architect

PGP Fingerprint: BDC7 AFFD E94F FA09 C839 9153 F5FF E128 3094 2B9E
Key ID: 0x30942B9E
Reply With Quote