Denis,
Comments inline...
spt
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Denis
Pinkas
Sent: Wednesday, February 20, 2008 10:49 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: Key Sizes in S/MIME v3.2
Sean,
I like the proposed text, with two exceptions:
A - " A receiving agent SHOULD be able to verify signatures
with keys of any size over 768 bits".
1 - The upper limit is unlimited, so I would not like that sentence
to be interpreted so that we SHOULD support 4096 bits keys :-(
In December we talked about keys large than 2048 and most people felt that
they should be a MAY.
2 - With that sentence, there is no MUST for a receiving agent.
We should have sentences like:
A receiving agent SHALL ...
A receiving agent SHOULD ...
The following is a try:
A receiving agent SHALL be able to verify signatures with keys
of any size between 768 bits and 2048 bits.
A receiving agent SHOULD be able to verify signatures with
keys of any size between 512 bits and 767 bits, for backwards
compatibility.
OR
A receiving agent SHALL be able to verify signatures with keys
of any size between 1024 bits and 2048 bits.
A receiving agent SHOULD be able to verify signatures with
keys of any size between 512 bits and 1023 bits.
The reason I think it's a SHOULD as opposed to SHALL is that they didn't
want to limit the upper bounds. If we change this to a SHALL then we have to
decide where the upper bounds is. I actually prefer to leave this as SHOULD
verify signatures with keys any size over 512 bits.
B - Then the following text should be improved and moved in
the security considerations section:
" Implementers SHOULD be aware that multiple
(active) key pairs can be associated with a single individual.
For example, one key pair can be used to support
confidentiality, while a different key pair can be used for
authentication".
We can move the text.
I suggest to use the material sent in my earlier e-mail.
Denis
===============================================================
I should have been clearer.
RFC 3850 current says (sec 4.3):
Key sizes from 512 bits to 2048 bits MUST be supported.
Suggesting it be replaced with:
Key sizes from 1024 bits to 2048 bits MUST be supported.
Here are the suggested changes RFC 3851 (sec 4.1):
If an S/MIME agent needs to generate an RSA key pair, then
the S/MIME
agent or some related administrative utility or function SHOULD
generate RSA key pairs using the following guidelines. A user agent
SHOULD generate RSA key pairs at a minimum key size of 1024
was 768 ^^^^ bits. A user
agent MUST NOT generate RSA key pairs less than 768 bits long.
Creating keys longer than
^^^ was 512
1024 bits can cause some older S/MIME receiving agents to
not be able
to verify signatures, but gives better security and is therefore
valuable. A receiving agent SHOULD be able to verify
signatures with
keys of any size over 768 bits. Some agents created in the United
^^^ was 512
States have chosen to create 512 bit keys in order to get more
advantageous export licenses. However, 512 bit keys are
considered by
many to be cryptographically insecure. Implementers SHOULD be aware
that multiple
(active) key pairs can be associated with a single individual. For
example, one key pair can be used to support
confidentiality, while a
different key pair can be used for authentication.
Thoughts?
spt
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Paul
Hoffman
Sent: Tuesday, February 19, 2008 1:42 PM
To: Turner, Sean P.; ietf-smime(_at_)imc(_dot_)org
Subject: Re: Key Sizes in S/MIME v3.2
At 11:34 AM -0500 2/19/08, Turner, Sean P. wrote:
>From the mail discussion we had in December, it's pretty
clear to me
that key sizes from 1024-2048 ought to be the MUST and other
key sizes are MAY.
I'm suggesting the following text:
Key sizes from 1024 bits to 2048 buts MUST be supported. Keys sizes
larger than 2048 MAY be supported.
Sure.
Should we put a MUST NOT or SHOULD NOT in for key sizes
smaller than 1024?
MUST NOT or SHOULD NOT *what*? Generate, or validate?
Regards,
Denis Pinkas