ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: S/MIME v3.2 IDs key size text

2008-05-02 11:07:29
from [Turner, Sean P.] [Permanent Link] 

Paul has suggest a rewording of his text for 4.1 as follows:

A receiving agent needs to be able to verify signatures whose key length is
chosen by the signer. For interoperability, a receiving agent MUST be able
to verify signatures whose key length is 1024 bits or shorter. Being able to
verify signatures is mandatory because earlier versions of this
specification required the ability to generate signatures with shorter key
lengths. Note that most receiving agents are likely to see signatures whose
key length is longer than 1024 bits during the next decade, and those
receiving agents will want to be able to verify those signatures.

He's also suggested the following security consideration:

Receiving agents are only required to validate signatures that are the same
length as sending agents are required to produce, namely 1024 bits. Many
people feel that signatures of 1024 bits do not meet their security
requirements today, or even if they meet their requirements today, they will
not meet their requirements in the foreseeable future. Therefore, sending
and receiving agents need to decide what strength of signature they want to
produce and validate, respectively. Further, those decisions need to be
reviewed periodically in light of decreasing cryptographic strength over
time of signatures.

spt


-----Original Message-----
From: Paul Hoffman [mailto:phoffman(_at_)imc(_dot_)org] 
Sent: Tuesday, March 25, 2008 2:12 PM
To: Turner, Sean P.; 'Russ Housley'; ietf-smime(_at_)imc(_dot_)org
Subject: RE: S/MIME v3.2 IDs key size text

At 10:16 AM -0400 3/25/08, Turner, Sean P. wrote:

This sounds reasonable. I replace the following sentence in 3851bis:

A receiving agent SHOULD be able to verify signatures with 

keys of any 

size over 512 bits.

with

A receiving agent SHOULD be able to verify signatures with keys up to 
16384 bits.


I disagree with the upper limit. Verifying signatures with 16K 
bit keys is very difficult for constrained  devices; this 
"SHOULD" may have the effect of making device makers need to 
use faster CPUs than they would normally want to have.

It is unclear which part of the SHOULD is not a MUST here. 
Because we are talking only about interoperability, then the 
number is 1024, which is what the key creators SHOULD be 
making. But that is clearly a lower bound of what a typical 
receiver might expect. Therefore, a short sentence like the 
one proposed is insufficient. How about:

A receiving agent needs to be able to verify signatures whose 
key length is chosen by the signer. At a minimum, a receiving 
agent MUST be able to verify signatures whose key length is 
1024 bits or shorter. However, most receiving agents are 
likely to see signatures whose key length is longer than that 
during the next decade.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  {Blocked Content} I-D ACTION:draft-ietf-smime-rfc3278-update-03.txt, Internet-Drafts
Next by Thread:  RE: S/MIME v3.2 IDs key size text, Peter Gutmann
Indexes:  [Date] [Thread] [Top] [All Lists]