Timeline to remove DSA support in OpenSSH

[patrakov]

Evil manager from hell: nope, you can still reconfigure the <thing> to use telnet. At least it would be then plain obvious that there is no security, instead of the current security theater with DSA.

[throw0101d]

> Evil manager from hell: nope, you can still reconfigure the <thing> to use telnet.

Possible reply for some folks: our cyber-insurance mandates encryption for all logins.

[midasuni]

Telnet uses double rot 13 encryption.

[acdha]

The grind of audit requirements tends to mean those managers are a lot more willing to do the right thing now – it’s less risk than putting your name in writing on the thing which the auditors / insurance company will be using to fail you.

[crote]

I don't think anything using SHA-1 for security is going to pass an audit anyways...

[acdha]

Yes, or telnet. My point was that it used to be that random acts of management/ BOFH were more common because they could play politics out of consequences; now that lots of people have insurance or regulatory checks, that’s harder to do. That paperwork might not be the most efficient way to do it but it does at least produce a slow grind forcing the business people to pay attention to problems they used to ignore.

[robertlagrant]

Or just use an existing version of OpenSSL. They aren't sending a terminator back in time to purge DSA support from all of time.

[oynqr]

That would be a better timeline than this one.