Paul Hoffman wrote:
I disagree with the upper limit. Verifying signatures with 16K bit keys
is very difficult for constrained devices; this "SHOULD" may have the
effect of making device makers need to use faster CPUs than they would
normally want to have.
I made a study of the use of public keys in a DoS attack a while ago.
It isn't merely a key size issue. A signature using a 16K key and a
small public exponent (such as 65537) can be verified using far less
effort than one with a 16K public exponent.
A separate issue is whether such a signature is verified before or after
the certificate itself is verified and whether one can persuade a CA to
issue a certificate containing such a key.
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)co(_dot_)uk, PGP key: via homepage.