At 5:12 PM -0700 5/9/08, Blake Ramsdell wrote:
On Fri, May 09, 2008 at 02:40:17PM -0700, Paul Hoffman wrote:
Beyond what Russ just pointed out, I find the first line to be in bad
taste. Any IETF spec that says "you must not be able to verify a signature
even though it is valid" is pretty offensive.
Can we return to talking about interoperability?
I think you and I are on the same page, and there's two things:
1. Interoperability. The key sizes to guarantee two implementations will talk
to each other.
2. Security considerations. The key sizes that are a no-no due to insufficient
or overly-sufficient size.
Have we given up on the separation of these?
For interoperability, the receiver MUST be able to verify all sizes
that the signer MUST be able to sign. For security, the signer MUST
be able to sign using keys of at least a certain size.
A receiver should expect that some of the signatures it wants to
verify will be bigger than the one size in the spec because a
receiver cannot accurately predict the security decisions of all the
senders with which it interacts.
I propose that that size is 1024 bits: that's plenty of strength for
most typical non-paranoid applications for at least five years. If it
turns out to be too short due to an unexpected large reduction in
strength of RSA, we can revise then. Quite frankly, in that case, we
might be recommending ECDSA anyhow.