At 10:16 AM -0400 3/25/08, Turner, Sean P. wrote:
This sounds reasonable. I replace the following sentence in 3851bis:
A receiving agent SHOULD be able to verify signatures with keys of any size
over 512 bits.
with
A receiving agent SHOULD be able to verify signatures with keys up to 16384
bits.
I disagree with the upper limit. Verifying signatures with 16K bit
keys is very difficult for constrained devices; this "SHOULD" may
have the effect of making device makers need to use faster CPUs than
they would normally want to have.
It is unclear which part of the SHOULD is not a MUST here. Because we
are talking only about interoperability, then the number is 1024,
which is what the key creators SHOULD be making. But that is clearly
a lower bound of what a typical receiver might expect. Therefore, a
short sentence like the one proposed is insufficient. How about:
A receiving agent needs to be able to verify signatures whose key
length is chosen by the signer. At a minimum, a receiving agent MUST
be able to verify signatures whose key length is 1024 bits or
shorter. However, most receiving agents are likely to see signatures
whose key length is longer than that during the next decade.