Paul has suggest a rewording of his text for 4.1 as follows:
A receiving agent needs to be able to verify signatures whose key length is
chosen by the signer. For interoperability, a receiving agent MUST be able
to verify signatures whose key length is 1024 bits or shorter. Being able to
verify signatures is mandatory because earlier versions of this
specification required the ability to generate signatures with shorter key
lengths. Note that most receiving agents are likely to see signatures whose
key length is longer than 1024 bits during the next decade, and those
receiving agents will want to be able to verify those signatures.
He's also suggested the following security consideration:
Receiving agents are only required to validate signatures that are the same
length as sending agents are required to produce, namely 1024 bits. Many
people feel that signatures of 1024 bits do not meet their security
requirements today, or even if they meet their requirements today, they will
not meet their requirements in the foreseeable future. Therefore, sending
and receiving agents need to decide what strength of signature they want to
produce and validate, respectively. Further, those decisions need to be
reviewed periodically in light of decreasing cryptographic strength over
time of signatures.
spt
-----Original Message-----
From: Paul Hoffman [mailto:phoffman(_at_)imc(_dot_)org]
Sent: Tuesday, March 25, 2008 2:12 PM
To: Turner, Sean P.; 'Russ Housley'; ietf-smime(_at_)imc(_dot_)org
Subject: RE: S/MIME v3.2 IDs key size text
At 10:16 AM -0400 3/25/08, Turner, Sean P. wrote:
This sounds reasonable. I replace the following sentence in 3851bis:
A receiving agent SHOULD be able to verify signatures with
keys of any
size over 512 bits.
with
A receiving agent SHOULD be able to verify signatures with keys up to
16384 bits.
I disagree with the upper limit. Verifying signatures with 16K
bit keys is very difficult for constrained devices; this
"SHOULD" may have the effect of making device makers need to
use faster CPUs than they would normally want to have.
It is unclear which part of the SHOULD is not a MUST here.
Because we are talking only about interoperability, then the
number is 1024, which is what the key creators SHOULD be
making. But that is clearly a lower bound of what a typical
receiver might expect. Therefore, a short sentence like the
one proposed is insufficient. How about:
A receiving agent needs to be able to verify signatures whose
key length is chosen by the signer. At a minimum, a receiving
agent MUST be able to verify signatures whose key length is
1024 bits or shorter. However, most receiving agents are
likely to see signatures whose key length is longer than that
during the next decade.