At 6:16 AM +1200 5/3/08, Peter Gutmann wrote:
"Turner, Sean P." <turners(_at_)ieca(_dot_)com> writes:
A receiving agent needs to be able to verify signatures whose key length is
chosen by the signer. For interoperability, a receiving agent MUST be able to
verify signatures whose key length is 1024 bits or shorter.
[...]
Receiving agents are only required to validate signatures that are the same
length as sending agents are required to produce, namely 1024 bits.
Aren't these mutually exclusive?
Yes; that's why they are in separate sections.
(The "or shorter" attached to the "1024" is also going to prove problematic
with FIPS-evaluated crypto implementations, since you can't do < 1024 bits for
those).
That's just plain wrong. Nothing in the FIPS evaluation says that you
cannot verify signatures shorter than what they require.