On Tue, Mar 25, 2008 at 09:34:02PM +0000, Dr Stephen Henson wrote:
It isn't merely a key size issue. A signature using a 16K key and a small
public exponent (such as 65537) can be verified using far less
effort than one with a 16K public exponent.
Based on this and Paul's comments, I think that there are definitely two
separate issues:
1. Guidance for interoperability (MUST / SHOULD for keylengths)
2. Security considerations (don't bite off keys bigger than you can chew)
Unfortunately, this opens up a new can of worms for the security
considerations -- how do you specify the right combination of exponent and
modulus values for RSA that are a problem? Are there a similar set of
giant parameters that might be used with DSA?
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com