On Behalf Of Paul Hoffman
Sent: Saturday, May 03, 2008 12:11 PM
Subject: RE: S/MIME v3.2 IDs key size text (resend, this time not opaque
signed with 2k key)
Our task is to create a standard that is usable by as many people as
possible while at the same time as setting some minimum operational
security expectations. For interoperability, we need to say "you can
verify signatures created following this spec". For minimum
operational security, we have to pick a size that is reasonable for
the vast majority of users while encouraging software developers to
support all reasonable sizes.
Please read RFC 3766. If you believe that the numbers in there are
wrong, by all means let the IETF community know. If you believe that
the numbers there are right but you still think that a typical user
needs more than 75 bits of symmetric strength for their signatures,
even though no one has ever done that much effort for even a single
attack in public, please say why.
These are interesting points.
I believe that the vast majority of users are actually either at government
agencies or financial institutions. The government guys need FIPS 140-2, which
is fairly clear about requiring bigger keys (actually the SP that the IG refers
to is), and the FI people need to follow the ANSI X9 recommendations. Both of
these require the use of 2K keys Really Soon. Because of this, I believe that
making things reasonable for the vast majority of users means requiring the
support for 2K keys ASAP.
I'd also say that what RFC 3766 says is totally irrelevant. The people who rely
on cryptography are the ones that say what an acceptable level of risk is. In
the case of FIs who rely on X9 standards, this means using keys that are fairly
big, and may be bigger that RFC 3766 describes. In the case of government
users, this is defined by NIST in SP 800-57.
From the point of view of a cryptographer, the key sizes that they require may
seem a bit big, but then the cryptographers aren't the ones dealing with
trillions of dollars of risk, either.