Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/etc/rc.d
> Module Name: src
> Committed By: christos
> Date: Sat Apr 7 00:41:16 UTC 2018
>
> Modified Files:
> src/etc/rc.d: sshd
>
> Log Message:
> support xmss keys
I advise against generating XMSS host keys by default.
The XMSS signature scheme is stateful, so managing XMSS keys is
qualitatively different for an administrator from all the other
signature schemes supported here: roll back the state (e.g., from disk
backup or VM snapshot) and you shoot yourself in the foot.
There's no benefit right now to post-quantum signature because
practical quantum computers are still a long way out. Future quantum
computers pose no _retroactive_ danger for online authentication: if
quantum computers ever do become practical, you can replace the host
keys and all _subsequent_ sessions will be fine.
(The story is different for confidentiality; post-quantum public-key
key agreement and encryption are more important to deploy now because
of the possibility of retroactive decryption.)
Home |
Main Index |
Thread Index |
Old Index