6 Oct
2025
6 Oct
'25
10:11 p.m.
EC Keys: >= 224 bits RSA keys: >= 2048 bits DH params: >= 2048 bits EdDSA: Ed25519 & Ed448 are good
& depths below, e.g. 1024b RSA or DH, are rejected
Hmm - when using elliptic curve algos like X25519 / x448 I don't think dh params are needed/used any longer - are they?
And if they were being used (with rsa or whatever), aren't finite field like ffde4096 (a la rfc 7919 [1]) the preferred choice?
If were me, I would completely eliminate any RSA certs anyway - there's no longer any need to use them at all.
[1] https://datatracker.ietf.org/doc/html/rfc7919
--
Gene