"Turner, Sean P." <turners(_at_)ieca(_dot_)com> writes:
A receiving agent SHOULD be able to verify signatures with keys up to 16384
Even that's a significant DoS. What about MUST to 4K and MAY to 16K, with a
note about the DoS issue?
The 16Kbit value is going to cause the same problems as 256-bit keys do for
AES, once you give some arbitrary large upper bound it creates the perception
that keys of the same size as the upper bound are somehow "better" than
smaller-sized keys, and so all the tinfoil-hat implementations will insist on
using 16Kbit keys, and then others will have to follow in order to be as
"good" as the tinfoil-hat versions.
Also, how many implementations actually support 16Kbit values? How much
legacy hardware can handle 16Kbit keys? How many smart cards can do 16Kbit
keys? Specifying this is opening a real can of worms...