Paul Hoffman <phoffman(_at_)imc(_dot_)org> writes:
...and none of these relate to the S/MIME standard, right?
Uhh, my posting specifically mentioned PKCS #7 signing (you actually quote the
sentence right below the above comment), which the last time I checked was
still S/MIME.
How many would you like?
Only real ones that relate to this thread, thank you.
Geeze, how many do you want me to dig up? The three I mentioned are ones
readily to hand and ones where I knew I could mention them (in anonymised
form), I'd have to ask about posting some of the others (and also spend way
more time than it's worth digging through old email to locate them). In any
case here's another one, from some years ago, again PKCS #7 (although PKCS #7
could probably be valid today as well, some places still don't know there's
something called CMS). Anyway, some folks were using 256-bit RSA keys to send
signed EDI messages around wrapped in PKCS #7 envelopes. The reason they used
these was because their application, written by some contractor in Java [0],
ran really slowly and their security guy [1] told them that the performance
problems were because of the RSA key size being used, which was initially 1K
bits (it had nothing to do with the fact that it was written in Java, it was
purely the RSA key size's fault). Since they were using keys twice as large
as the industry standard 128 bits and everyone knew 128 bits was totally
secure, they were perfectly OK.
If you have actual quotes of people saying that, fine; quoting someone third-
hand through an IETF security geek is not a good way to get accurate results.
It wasn't third-hand, it was either from me if I was involved in the work or
from the person who was involved if it wasn't me [2]. In the above case
(which I was directly involved with) "the standard doesn't disallow it" was
the argument given for using the 256-bit keys, some mere coders tried to point
out that this was wrong and the response was that there was nothing in the
standard so say it was wrong and anyway the contractors had already spent X
amount of time on it so unless anyone could come up with a good reason not to,
it was being deployed with 256-bit RSA signatures. And so it went.
Peter.
[0] This was before things like Bouncy Castle were freely available and
people had to build higher-level protocols from raw JCE parts with their
own three hands.
[1] He'd read the first two chapters of Applied Crypto.
[2] Or are you saying that other members of this list, who provided some of
the information, aren't reliable sources? Is there a vetting procedure
they're supposed to go through first? Shall I ask for affidavits?