On Sun, Mar 26, 2006 at 10:02:18AM -0800, "Hal Finney" wrote:
It's always a tricky question, how much we should try to enforce
security standards in a data-format document. We do put minimum length
restrictions on the moduli to try to protect users against making one
kind of mistake, using a too-short key. In the same way, I don't think
we should allow them to use a 160-bit q for a 3072-bit p. This is the
spirit behind my suggestion to just allow the NIST sizes.
I think we more or less agree on this. My only sticking point is the
idea of allowing people to do something other than the NIST sizes.
How about we make the NIST sizes a SHOULD (like the minimum length
restrictions are SHOULD NOTs), and add a sentence after that to read
something like "Caution should be taken when deviating from the above
parameters which were carefully chosen to balance the strength of the
hash with the strength of the key." ?
That would seem to be the best of all worlds: we strongly advise
people to use the NIST sizes, tell them why we want them to use the
NIST sizes, but don't lock them down.
David