Paul:
How would you suggest warning people that they should not attempt to
handle really huge keys? Would you put it in the security
consideration instead?
Russ
At 02:11 PM 3/25/2008, Paul Hoffman wrote:
At 10:16 AM -0400 3/25/08, Turner, Sean P. wrote:
This sounds reasonable. I replace the following sentence in 3851bis:
A receiving agent SHOULD be able to verify signatures with keys of any size
over 512 bits.
with
A receiving agent SHOULD be able to verify signatures with keys up to 16384
bits.
I disagree with the upper limit. Verifying signatures with 16K bit
keys is very difficult for constrained devices; this "SHOULD" may
have the effect of making device makers need to use faster CPUs than
they would normally want to have.
It is unclear which part of the SHOULD is not a MUST here. Because
we are talking only about interoperability, then the number is 1024,
which is what the key creators SHOULD be making. But that is clearly
a lower bound of what a typical receiver might expect. Therefore, a
short sentence like the one proposed is insufficient. How about:
A receiving agent needs to be able to verify signatures whose key
length is chosen by the signer. At a minimum, a receiving agent MUST
be able to verify signatures whose key length is 1024 bits or
shorter. However, most receiving agents are likely to see signatures
whose key length is longer than that during the next decade.