Why would 4096 be useful? The standard levels of bit strength that NIST,
X9 and IETF documents seem to define include:
80-bit symmetric, which corresponds to 1024-bit RSA (obsolete NLT 2010)
112-bit symmetric, which corresponds to 2048-bit RSA (obsolete NLT 2030)
128-bit symmetric, which corresponds to 3072-bit RSA
192-bit symmetric, which corresponds to 7680-bit RSA
256-bit symmetric, which corresponds to 15360-bit RSA
So I'm not sure why a 4096-bit key would be of much interest aside from
the obvious "bigger is better" argument.
-----Original Message-----
From: Jim Schaad [mailto:ietf(_at_)augustcellars(_dot_)com]
Sent: Thursday, December 06, 2007 4:25 PM
To: 'Peter Gutmann'; ietf-smime(_at_)imc(_dot_)org; Luther Martin;
turners(_at_)ieca(_dot_)com
Subject: RE: Comments on S/MIME v3.2
What the document says is "You need to do this" not "This is what the
world
currently does"
Personally I think we should probably push the limit to 4096 on the
upper
end.
Jim
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-
smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Peter Gutmann
Sent: Wednesday, December 05, 2007 7:12 PM
To: ietf-smime(_at_)imc(_dot_)org; martin(_at_)voltage(_dot_)com;
turners(_at_)ieca(_dot_)com
Subject: RE: Comments on S/MIME v3.2
"Luther Martin" <martin(_at_)voltage(_dot_)com> writes:
With respect to the RSA key sizes, I see lots of demand for
3072-bit
keys,
but not much for 2048-bit, so I'd be very inclined to make the
range
1024 to
3072. To be compatible with AES, you need at least 3072, after all.
How widely supported are values > 2K bits in hardware and crypto
toolkits?
The last time I looked (which admittedly was a few years ago), you
ran
into
problems if you assumed that everyone could handle > 2K bit keys.
Peter.