John:
You are correct. There seems to be a typo. p needs to be bigger than q and x.
Russ
At 08:27 AM 2/19/99 -0500, Linn, John wrote:
I'm trying to mind p's and q's here ;-). I was questioning the last
sentence in 2.2's 2nd paragraph, which states "p must be a minimum of 160
bits long", recognizing X9.42's recommendation for a significantly larger p.
Earlier in the same paragraph, there's a separate statement about q being at
least 160 bits; I wasn't asking about that or private key sizes, just
specifically about p.
--jl
----------
From: EKR[SMTP:ekr(_at_)rtfm(_dot_)com]
Sent: Wednesday, February 17, 1999 5:19 PM
To: Russ Housley
Cc: jlinn(_at_)securitydynamics(_dot_)com; ietf-smime(_at_)imc(_dot_)org
Subject: Re: Comments on x942-05 draft
Russ Housley <housley(_at_)spyrus(_dot_)com> writes:
John said:
In 2.2, 2nd paragraph, suggest changing "...m MUST be >=160" -> "...m
MUST
be >= 160 bits in length". Later in the paragraph, is 160 bits
intended as
the appropriate minimum length for p? (Note, by comparison, that
X9.42
requires a multiple of 256 bits with a minimum of 512.)
Then Eric replied:
I'd prefer 160. 512 seems like overkill, and has unpleasant performance
tradeoffs.
I do not have a problem allowing people to have 512-bit private keys.
The
performance impact is imposed on themselves. I also think that we
should
permit 160-bit private keys for those people that belive 80-bit security
is
useful.
In summary, I think that we should allow private keys to be between 160
and
512 bits.
That's no problem, but John indicates that X9.42 has a MINIMUM of 512,
which I consider unacceptable.
As far as I'm concerned people should be allowed to go up to |p|
-Ekr
--
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]