Sean:
I think the minimum supported size needs to be 2048 because:
1) Since at least April 2007 (over a year ago) Verisign has been issuing certs
with 2048 keys (I believe this is selectable when enrolling) (although the root
cert is only 1024!).
2) NIST is recommending 2048 by end of 2008 for signatures and key transport for
some apps [SP-800-78-1 Table 3.1].
3) Many/most hardware tokens (e.g. Safenet, Gem, Aladdin) are supporting 1024
and 2048 (only).
As far as going larger than 2048, in my brief survey, while there appears to be
a small level of interest in 3072 (and even 4096), beyond that many appear to be
recommending a switch to ECC because of the exponentially rising power/cpu costs
for larger RSA sizes (e.g. NSA Suite B).
So I would suggest making 2048 and smaller mandatory. And using a sentence like:
" Note that receiving agents may see signatures whose key length is longer than
2048
bits in the future, and support for lengths of 3072 and 4078 SHOULD be provided
to verify those signatures."
Or
"... for lengths up to and including 4078 SHOULD ..."
to address optional support.
Tony
| -----Original Message-----
| From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
| [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Turner,
Sean P.
| Sent: May 2, 2008 1:39 PM
| To: ietf-smime(_at_)imc(_dot_)org
| Subject: RE: S/MIME v3.2 IDs key size text
|
|
|
| Paul has suggest a rewording of his text for 4.1 as follows:
|
| A receiving agent needs to be able to verify signatures whose
| key length is chosen by the signer. For interoperability, a
| receiving agent MUST be able to verify signatures whose key
| length is 1024 bits or shorter. Being able to verify
| signatures is mandatory because earlier versions of this
| specification required the ability to generate signatures
| with shorter key lengths. Note that most receiving agents are
| likely to see signatures whose key length is longer than 1024
| bits during the next decade, and those receiving agents will
| want to be able to verify those signatures.
|
| He's also suggested the following security consideration:
|
| Receiving agents are only required to validate signatures
| that are the same length as sending agents are required to
| produce, namely 1024 bits. Many people feel that signatures
| of 1024 bits do not meet their security requirements today,
| or even if they meet their requirements today, they will not
| meet their requirements in the foreseeable future. Therefore,
| sending and receiving agents need to decide what strength of
| signature they want to produce and validate, respectively.
| Further, those decisions need to be reviewed periodically in
| light of decreasing cryptographic strength over time of signatures.
|
| spt
|
| >-----Original Message-----
| >From: Paul Hoffman [mailto:phoffman(_at_)imc(_dot_)org]
| >Sent: Tuesday, March 25, 2008 2:12 PM
| >To: Turner, Sean P.; 'Russ Housley'; ietf-smime(_at_)imc(_dot_)org
| >Subject: RE: S/MIME v3.2 IDs key size text
| >
| >At 10:16 AM -0400 3/25/08, Turner, Sean P. wrote:
| >>This sounds reasonable. I replace the following sentence in 3851bis:
| >>
| >>A receiving agent SHOULD be able to verify signatures with
| >keys of any
| >>size over 512 bits.
| >>
| >>with
| >>
| >>A receiving agent SHOULD be able to verify signatures with
| keys up to
| >>16384 bits.
| >
| >I disagree with the upper limit. Verifying signatures with 16K
| >bit keys is very difficult for constrained devices; this
| >"SHOULD" may have the effect of making device makers need to
| >use faster CPUs than they would normally want to have.
| >
| >It is unclear which part of the SHOULD is not a MUST here.
| >Because we are talking only about interoperability, then the
| >number is 1024, which is what the key creators SHOULD be
| >making. But that is clearly a lower bound of what a typical
| >receiver might expect. Therefore, a short sentence like the
| >one proposed is insufficient. How about:
| >
| >A receiving agent needs to be able to verify signatures whose
| >key length is chosen by the signer. At a minimum, a receiving
| >agent MUST be able to verify signatures whose key length is
| >1024 bits or shorter. However, most receiving agents are
| >likely to see signatures whose key length is longer than that
| >during the next decade.
|