Many existing common hardware tokens appear to be limited to 2048 (iKey 2032 and
4000); so making anything more than 2048 mandatory may be a problem today.
Possibly there is hidden support for bigger keys in the newer products, but with
processing proportional to the cube of the key length this would have
significant impacts because of existing smartcard technology power/processing
limits.
While 3072 might gain traction (for AES-128), one wonders about 4096 or higher.
7680 is needed for AES-192 which would make this (not 4096) the next size anyway
for encryption.
NIST, with SuiteB, is promoting a switch to EC to avoid bigger RSA keys:
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm
So making anything bigger than 2048 mandatory does not make sense to me.
Including 3072 as optional would be fine, even recommending a migration by xx
date if desired. But RSA may not live beyond 3072 (????).
Tony
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On
Behalf Of Luther Martin
Sent: December 6, 2007 7:56 PM
To: Jim Schaad; Peter Gutmann; ietf-smime(_at_)imc(_dot_)org;
turners(_at_)ieca(_dot_)com
Subject: RE: Comments on S/MIME v3.2
Why would 4096 be useful? The standard levels of bit strength that NIST, X9 and
IETF documents seem to define include:
80-bit symmetric, which corresponds to 1024-bit RSA (obsolete NLT 2010) 112-bit
symmetric, which corresponds to 2048-bit RSA (obsolete NLT 2030) 128-bit
symmetric, which corresponds to 3072-bit RSA
192-bit symmetric, which corresponds to 7680-bit RSA
256-bit symmetric, which corresponds to 15360-bit RSA
So I'm not sure why a 4096-bit key would be of much interest aside from the
obvious "bigger is better" argument.
-----Original Message-----
From: Jim Schaad [mailto:ietf(_at_)augustcellars(_dot_)com]
Sent: Thursday, December 06, 2007 4:25 PM
To: 'Peter Gutmann'; ietf-smime(_at_)imc(_dot_)org; Luther Martin;
turners(_at_)ieca(_dot_)com
Subject: RE: Comments on S/MIME v3.2
What the document says is "You need to do this" not "This is what the
world currently does"
Personally I think we should probably push the limit to 4096 on the
upper
end.
Jim
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org [mailto:owner-ietf-
smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Peter Gutmann
Sent: Wednesday, December 05, 2007 7:12 PM
To: ietf-smime(_at_)imc(_dot_)org; martin(_at_)voltage(_dot_)com;
turners(_at_)ieca(_dot_)com
Subject: RE: Comments on S/MIME v3.2
"Luther Martin" <martin(_at_)voltage(_dot_)com> writes:
With respect to the RSA key sizes, I see lots of demand for
3072-bit
keys,
but not much for 2048-bit, so I'd be very inclined to make the
range
1024 to
3072. To be compatible with AES, you need at least 3072, after all.
How widely supported are values > 2K bits in hardware and crypto
toolkits? The last time I looked (which admittedly was a few years
ago), you
ran
into
problems if you assumed that everyone could handle > 2K bit keys.
Peter.