ietf-smime
[Top] [All Lists]

RE: S/MIME v3.2 IDs key size text

2008-03-19 13:32:54

My only concern is making key size generation requirements a MANDATORY part of
this standard.  I understand it may have been appropriate in the past.

I agree with making non-mandatory RECOMMENDATIONS regarding key size generation.
Also agree with making support for minimum key size ranges mandatory.  And have
no problems with the sizes proposed.

However MANDATING (MUST/MUST-NOT) the generation and use of specific minimum
sizes (or algorithms for that matter) seems to me to be better addressed by Cert
Policies, etc. - and indeed in many cases key generation and use ends up being
imposed by the PKI design - and defined in the corresponding CP - anyway.

I agree the RFC should set out as mandatory the minimum specifications required
to ensure a high likelihood of interoperability.  However, if users choose to
use small keys (and are allowed to under their CP) then does this make the
implementation non-compliant to S/MIME v3.2?  For example, if S/MIME is used to
implement a compartmentalized security policy and used over a secure
infrastructure, do we presume to say a 768 bit key is insufficient for this
particular application?  

The only change I would suggest is to remove the sentence:
" A user agent MUST NOT generate RSA key pairs less than 1024 bits long"

The previous sentence to this already captures the RECOMMENDATION against keys
of less than 1024 anyway.

I think in earlier versions of the RFC it was appropriate to mandate minimum key
sizes, but nowadays, we should leave this decision to the designers who are
working against the threat and risk assessment (and sure, include
recommendations aimed at less sophisticated users).

Tony


| -----Original Message-----
| From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
| [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Turner, 
Sean P.
| Sent: March 19, 2008 3:08 PM
| To: ietf-smime(_at_)imc(_dot_)org
| Subject: S/MIME v3.2 IDs key size text
| 
| 
| 
| The key size text is the remaining issue with the S/MIME v3.2 
| IDs.  What I'm hoping to do is consensus on the text so we 
| can issue a WG LC on these two IDs. To make sure there's no 
| confusion I've included the old and new text from the two 
| IDs. If you have comments on the new text please be specific 
| about the change you are proposing.
| 
| spt
| 
| --------------
| 
| In 3850bis, the update is to section 4.3 (this is the only 
| sentence that refers to key sizes):
| 
| (old) Key sizes from 512 bits to 2048 bits MUST be supported.
| 
| (new) Key sizes from 1024 bits to 2048 bits MUST be supported.
| 
| In 3851bis, the update is to section 4.1:
| 
| (old) If an S/MIME agent needs to generate an RSA key pair, 
| then the S/MIME agent or some related administrative utility 
| or function SHOULD generate RSA key pairs using the following 
| guidelines.  A user agent SHOULD generate RSA key pairs at a 
| minimum key size of 768 bits.  A user agent MUST NOT generate 
| RSA key pairs less than 512 bits long. Creating keys longer 
| than 1024 bits can cause some older S/MIME receiving agents 
| to not be able to verify signatures, but gives better 
| security and is therefore valuable.  A receiving agent SHOULD 
| be able to verify signatures with keys of any size over 512 
| bits. Some agents created in the United States have chosen to 
| create 512 bit keys in order to get more advantageous export 
| licenses. However, 512 bit keys are considered by many to be 
| cryptographically insecure. Implementers SHOULD be aware that 
| multiple (active) key pairs can be associated with a single 
| individual.  For example, one key pair can be used to support 
| confidentiality, while a different key pair can be used for 
| authentication.
| 
| (new) If an S/MIME agent needs to generate an RSA key pair, 
| then the S/MIME agent or some related administrative utility 
| or function SHOULD generate RSA key pairs using the following 
| guidelines.  A user agent SHOULD generate RSA key pairs at a 
| minimum key size of 1024 bits.  A user agent MUST NOT 
| generate RSA key pairs less than 1024 bits long. Creating 
| keys longer than 1024 bits can cause some older S/MIME 
| receiving agents to not be able to verify signatures, but 
| gives better security and is therefore valuable.  A receiving 
| agent SHOULD be able to verify signatures with keys of any 
| size over 512 bits. 
| 
| - the last four sentences from old text were moved to the 
| security considerations.
| 

<Prev in Thread] Current Thread [Next in Thread>