RE: Key Sizes in S/MIME v3.2

Maybe the DSSC draft could be of use here:
http://tools.ietf.org/html/draft-ietf-ltans-dssc-01.

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Russ 
Housley
Sent: Wednesday, February 20, 2008 1:39 PM
To: Turner, Sean P.; 'Denis Pinkas'; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Key Sizes in S/MIME v3.2


The point is that we should be able to validate a signature that was
generated by a key pair that was generated under the previous
recommendations.

Russ


At 12:10 PM 2/20/2008, Turner, Sean P. wrote:

> As I dig around, I find that 1024 is pretty much the minimum that is 
> recommended. Both NIST (SP 800-78) and RSA
> (http://www.rsa.com/rsalabs/node.asp?id=2004) recommend at least 1024
now.
> Also, I'm not sure I've ever actually seen a 768-bit key in a 
> certificate - all I've seen for years now is 1024.
>
> spt
>
> > -----Original Message-----
> > From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
> > [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Denis 
> > Pinkas
> > Sent: Wednesday, February 20, 2008 11:34 AM
> > To: ietf-smime(_at_)imc(_dot_)org
> > Subject: Re: Key Sizes in S/MIME v3.2
> >
> >
> >
> >
> > > How about for 3851bis: A user agent SHOULD generate RSA key
> > pairs at a
> > > minimum key size of 1024 bits.  A user agent MUST NOT
> > generate RSA key
> > > pairs less than 1024 bits long.
> > With these two sentences there is no more room for key sizes less 
> > than 1024 bits.
> > 768 bits is still fully adequate, even we can recommend to use
> > 1024 bits as the minimum.
> >
> > Denis
> >
> > > I'll move the 768 back to 512 as suggested by Simon.
> > >
> > > spt
> > > > -----Original Message-----
> > > > From: Russ Housley [mailto:housley(_at_)vigilsec(_dot_)com]
> > > > Sent: Wednesday, February 20, 2008 9:16 AM
> > > > To: Turner, Sean P.
> > > > Cc: ietf-smime(_at_)imc(_dot_)org
> > > > Subject: RE: Key Sizes in S/MIME v3.2
> > > >
> > > > Sean:
> > > >
> > > > Given the proposed text, it sounds like you really want to say that
> > > > key sizes from 768 to 2048 bits must be supported, even
> > though you are
> > > > recommending 1024 bits as the minimum for newly generated keys.
> > > >
> > > > Russ
> > > >
> > > > At 07:17 AM 2/20/2008, Turner, Sean P. wrote:
> > > >
> > > > > I should have been clearer.
> > > > >
> > > > > RFC 3850 current says (sec 4.3):
> > > > >
> > > > >  Key sizes from 512 bits to 2048 bits MUST be supported.
> > > > >
> > > > > Suggesting it be replaced with:
> > > > >
> > > > >  Key sizes from 1024 bits to 2048 bits MUST be supported.
> > > > >
> > > > > Here are the suggested changes RFC 3851 (sec 4.1):
> > > > >
> > > > >  If an S/MIME agent needs to generate an RSA key pair,  then the 
> > > > > S/MIME agent or some related administrative  utility or function 
> > > > > SHOULD generate RSA key pairs  using the following
> > > > guidelines.  A user
> > > > > agent SHOULD  generate RSA key pairs at a minimum key size of
1024
> > > > >                                          was 768 ^^^^
> > bits.  A user
> > > > > agent MUST NOT generate RSA key pairs  less than 768 bits long.
> > > > > Creating keys longer than
> > > > >            ^^^ was 512
> > > > >  1024 bits can cause some older S/MIME receiving agents  to not 
> > > > > be able to verify signatures, but gives better  security and is
> > > > therefore
> > > > > valuable.  A receiving agent  SHOULD be able to verify
> > > > signatures with
> > > > > keys of any  size over 768 bits. Some agents created in the
United
> > > > >            ^^^ was 512
> > > > >  States have chosen to create 512 bit keys in order to  get more 
> > > > > advantageous export licenses.  However, 512  bit keys are
> > considered
> > > > > by many to be cryptographically  insecure. Implementers SHOULD be
> > > > > aware that multiple
> > > > >  (active) key pairs can be associated with a single
> > > > individual.  For
> > > > > example, one key pair can be used  to support
> > > > confidentiality, while a
> > > > > different key pair  can be used for authentication.
> > > > >
> > > > > Thoughts?
> > > > >
> > > > > spt
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
> > > > > > [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of 
> > > > > > Paul Hoffman
> > > > > > Sent: Tuesday, February 19, 2008 1:42 PM
> > > > > > To: Turner, Sean P.; ietf-smime(_at_)imc(_dot_)org
> > > > > > Subject: Re: Key Sizes in S/MIME v3.2
> > > > > >
> > > > > >
> > > > > > At 11:34 AM -0500 2/19/08, Turner, Sean P. wrote:
> > > > > > >  >From the mail discussion we had in December, it's pretty
> > > > > > clear to me
> > > > > > > that key sizes from 1024-2048 ought to be the MUST and other
> > > > > > key sizes are MAY.
> > > > > > > I'm suggesting the following text:
> > > > > > >
> > > > > > > Key sizes from 1024 bits to 2048 buts MUST be supported.
> > > > Keys sizes
> > > > > > > larger than 2048 MAY be supported.
> > > > > > Sure.
> > > > > >
> > > > > > > Should we put a MUST NOT or SHOULD NOT in for key sizes
> > > > > > smaller than 1024?
> > > > > >
> > > > > > MUST NOT or SHOULD NOT *what*? Generate, or validate?
> > Regards,
> >
> > Denis Pinkas