Steve:
A separate issue is whether such a signature is verified before or
after the certificate itself is verified and whether one can
persuade a CA to issue a certificate containing such a key.
Indeed, this is the best solution. Perhaps we should drop the max
size limit and discuss this point in the security considerations.
I was amazed by the following proposal :
"A receiving agent SHOULD be able to verify signatures with keys up to 16384
bits".
If we drop it, then there is no guidance anymore.
Reasonably, for any implementation, today:
"A receiving agent SHOULD be able to verify signatures with keys up to 2048
bits".
This does not prevent any implementation to support larger key sizes.
Denis
Russ