changeset 1895:101078d9cc27

mod_s2s_keysize_policy: Add a README
author Kim Alvefur <zash@zash.se>
date Sun, 04 Oct 2015 23:24:19 +0200 (2015-10-04)
parents 93c5479c6f2f
children 777554cf1ae1
files mod_s2s_keysize_policy/README.markdown
diffstat 1 files changed, 43 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_keysize_policy/README.markdown	Sun Oct 04 23:24:19 2015 +0200
@@ -0,0 +1,43 @@
+---
+summary: Distrust servers with too small keys
+...
+
+Introduction
+============
+
+This module sets the security status of s2s connections to invalid if
+their key is too small and their certificate was issued after 2014, per
+CA/B Forum guidelines.
+
+Details
+=======
+
+Certificate Authorities were no longer allowed to issue certificates
+with public keys smaller than 2048 bits (for RSA) after December 31
+2013. This module was written to enforce this, as there were some CAs
+that were slow to comply. As of 2015, it might not be very relevant
+anymore, but still useful for anyone who wants to increase their
+security levels.
+
+When a server is determined to have a "too small" key, this module sets
+its chain and identity status to "invalid", so Prosody will treat it as
+a self-signed certificate istead.
+
+"Too small"
+-----------
+
+The definition of "too small" is based on the key type and is taken from
+[RFC 4492].
+
+  Type     bits
+  ------ ------
+  RSA      2048
+  DSA      2048
+  DH       2048
+  EC        233
+
+Compatibility
+=============
+
+Works with Prosody 0.9 and later. Requires LuaSec with [support for
+inspecting public keys](https://github.com/brunoos/luasec/pull/19).