ietf-smime
[Top] [All Lists]

Re: Key Sizes in S/MIME v3.2

2008-02-20 09:17:12

Sean,

I like the proposed text, with two exceptions:

A - " A receiving agent SHOULD be able to verify signatures with keys of any
 size over 768 bits".

1 - The upper limit is unlimited, so I would not like that sentence 
    to be interpreted so that we SHOULD support 4096 bits keys :-(

2 - With that sentence, there is no MUST for a receiving agent.
  
We should have sentences like:

A receiving agent SHALL ...
A receiving agent SHOULD ...

The following is a try:

A receiving agent SHALL be able to verify signatures with keys of any
size between 768 bits and 2048 bits.

A receiving agent SHOULD be able to verify signatures with keys of any
size between 512 bits and 767 bits, for backwards compatibility.

OR

A receiving agent SHALL be able to verify signatures with keys of any
size between 1024 bits and 2048 bits.

A receiving agent SHOULD be able to verify signatures with keys of any
size between 512 bits and 1023 bits.

B - Then the following text should be improved and moved in the security 
considerations section:

" Implementers SHOULD be aware that multiple
(active) key pairs can be associated with a single
individual.  For example, one key pair can be used
to support confidentiality, while a different key pair
can be used for authentication".

I suggest to use the material sent in my earlier e-mail.

Denis

===============================================================

I should have been clearer.

RFC 3850 current says (sec 4.3):

Key sizes from 512 bits to 2048 bits MUST be supported. 

Suggesting it be replaced with:

Key sizes from 1024 bits to 2048 bits MUST be supported. 

Here are the suggested changes RFC 3851 (sec 4.1):

If an S/MIME agent needs to generate an RSA key pair,
then the S/MIME agent or some related administrative
utility or function SHOULD generate RSA key pairs
using the following guidelines.  A user agent SHOULD
generate RSA key pairs at a minimum key size of 1024
                                        was 768 ^^^^
bits.  A user agent MUST NOT generate RSA key pairs
less than 768 bits long. Creating keys longer than
          ^^^ was 512
1024 bits can cause some older S/MIME receiving agents
to not be able to verify signatures, but gives better
security and is therefore valuable.  A receiving agent
SHOULD be able to verify signatures with keys of any
size over 768 bits. Some agents created in the United
          ^^^ was 512
States have chosen to create 512 bit keys in order to
get more advantageous export licenses.  However, 512
bit keys are considered by many to be cryptographically
insecure. Implementers SHOULD be aware that multiple
(active) key pairs can be associated with a single
individual.  For example, one key pair can be used
to support confidentiality, while a different key pair
can be used for authentication. 

Thoughts?

spt

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Paul 
Hoffman
Sent: Tuesday, February 19, 2008 1:42 PM
To: Turner, Sean P.; ietf-smime(_at_)imc(_dot_)org
Subject: Re: Key Sizes in S/MIME v3.2


At 11:34 AM -0500 2/19/08, Turner, Sean P. wrote:
 >From the mail discussion we had in December, it's pretty 
clear to me 
that key sizes from 1024-2048 ought to be the MUST and other 
key sizes are MAY.
I'm suggesting the following text:

Key sizes from 1024 bits to 2048 buts MUST be supported. Keys sizes 
larger than 2048 MAY be supported.

Sure.

Should we put a MUST NOT or SHOULD NOT in for key sizes 
smaller than 1024?

MUST NOT or SHOULD NOT *what*? Generate, or validate?




Regards,

Denis Pinkas


<Prev in Thread] Current Thread [Next in Thread>