04:05:27 <jbk> hrmm.. i suspect https://github.com/illumos/illumos-gate/blob/master/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c#L2834-L2837 is what's generating the error... though https://github.com/illumos/illumos-gate/blob/master/usr/src/common/crypto/des/des_impl.h#L81-L82 suggests that maybe it should be ok with 128 bits as well...
04:10:47 <jbk> though the keysize is coming from softSlotToken.c
04:11:20 <jbk> and the 'relaxation' seems to have originated with 6831413
04:11:33 <jbk> so my guess is maybe they just missed a spot?
04:19:30 <jbk> also looks like google's pkcs11 test suite doesn't check that either
04:19:39 <jbk> (granted we fail it miserably already)
04:27:05 <jbk> though it's been a few years since i've touched any of it
07:08:21 <tsoome> we still have des enabled? "A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, led to NIST deprecating DES and 3DES for new applications in 2017, and for all applications by the end of 2023."
07:08:35 <tsoome> do not fix it, drop it.
12:14:30 <nbjoerg> better question would be "for what"
12:16:14 <otis> tsoome: or if not drop it, then at least "turn it off in default installation"
12:17:25 <otis> alas, not everyone might/can/will update their hashes in legacy system(s). on the other side, it's 2023, 3DES is so '80s
12:26:11 <tsoome> it is not just about being '80s, it is security issue.  
12:28:08 <otis> in early '80s the common security awareness was not as hight as it is today
12:29:00 <tsoome> today, if you have no security awareness, you should not be connected to network;)
12:29:49 <otis> i know of some *big* networks where they use public IPs on workstations and they do not have any firewall in place.
12:31:09 <tsoome> well, that alone is no problem, but if you add there "no patching" policy too, then it is problem.
12:48:13 <otis> patching can add only illusory sense of security. but probably still better than nothing (leaving apart the fact that on those big networks there are windows workstations and workers want to connect via RDP directly from home, without any VPN)
12:48:29 <otis> anyway, not my business. 3DES should be deprecated.
13:34:07 <sjorge> otis $work being one of them, there is just a basic global acl set
13:34:34 <sjorge> but unless you jump through hoops everything gets a pub ipv4
15:54:52 <sommerfeld> otis: so my vague recollection was that des was 80's, 3des was 90's.    IMHO should be disabled by default but for things like file encryption, etc., there should be a "break glass to reenable DES/3DES to decrypt your advisor's old thesis data files" config option