More than one person has asked about the different key sizes in
draft-ietf-smime-3850bis and draft-ietf-smime-3851bis. To save people
searching through the archives, we should add some text to the security
considerations to address the following two issues: 1) Why don't the DSA and
RSA key sizes match up in terms of security strength and 2) Why is 4096 bits
the upper bound in draft-ietf-smime-3850bis (CERT) while the upper bounds in
in draft-ietf-smime-3851bis (MSG) is 2048.
1) The reason for the DSA key size recommendations not being the same as RSA
key size recommendations is that FIPS 186-3 only defines key sizes up to
1024. With no informative/normative reference for us to point to we can't
suggest DSA key sizes greater that 1024. So in draft-ietf-smime-3851bis, I
suggest the following change be made to say that when NIST does publish
something implementers ought to support the larger key sizes:
Old:
The choice of 2048 bits as the RSA asymmetric key size in this specification
is based on the desire to provide 100 bits of security. The choice of 1024
bits as the DSA, and DH asymmetric key size in this specification is based
on the desire to provide 80 bits of security. These key size seems prudent
for the Internet based on Section 4.3 of [STRENGTH]. There are other
environments (e.g., government, financial, and medical) that may consider
this key size to be inadequate. Likewise, there are other environments that
may consider this key size to be excessive.
New:
The choice of 2048 bits as the RSA asymmetric key size in this specification
is based on the desire to provide 100 bits of security. The standards to
offer the same level of security for DSA and DH are not yet available. In
particular, [FIPS186-3] only defines DSA key sizes up to 1024 bits. A
revision to support larger key sizes is being developed, and once it is
available, implementors ought to support DSA key sizes comparable to the RSA
key sizes recommended in this specification. The key sizes that must be
supported to conform to this specification seem appropriate for the Internet
based on [STRENGTH]. Of course, there are environments, such as financial
and medical system, that may select different key sizes. For this reason,
an implementation MAY support key sizes beyond those recommended in this
specification.
2) With respect to the 4096 in draft-ietf-smime-rfc3850bis and 2048 in
draft-ietf-smime-rfc3851bis, the discussion went something like this: a)
draft-ietf-smime-3850bis only addresses certificate/CRL validation while
draft-ietf-smime-rfc3851bis addresses signature generation/verification and
encryption/decryption b) 4096 certificates are already in the Mozilla and MS
cert store. To make sure people understand the difference in
draft-ietf-smime-rfc3850bis, I suggest adding the following to its security
considerations:
The 4096-bit RSA key size requirement for certificate and CRL verification
is larger than the 2048-bit RSA key sizes for message signature
generation/verification or message encryption/decryption in
[SMIME-MSG:draft-ietf-smime-rfc3851bis] because multiple certificate stores
already include Root certificates with 4096-bit keys.
spt
-----Original Message-----
Passing on some WG Last Call comments.
Russ
= = = = = = = = =
1) Section 1.6: Section 1.2 should be 1.3 (conventions section). Sec
1.3: Added references ... should be
Sect 1.4: Added references...
Fixed.
2) Inconsistency: DSA with SHA-256 is a MUST in Section 1.6 and
SHOULD+ in section 2.2. 3250-bis and 3251-bis should be consistent
for DSA with SHA-256.
DSA with SHA-256 should be SHOULD+ everywhere.
3) section 1.6 mentions Sec 2.5.2.1 (there is no 2.5.2.1)
2.5.2.1 just talked about RC2 so I deleted it entirely. I'll split the
bullet in two:
Sec 2.5.2.1: Deleted entire section (discussed deprecated RC2).
Sec 2.7, 2.7.1, Appendix A: references to RC2/40 removed.
4) Section 1.6 referencing Sec 2.5.2: "DES-3EDE-CBC" and "AES-128
CBC" should be "DES-3EDE-CBC" with "AES-128 CBC"
Fixed
5) Section 1.6 referencing Sec 7: update should be updated
Fixed
6) I believe that Denis pointed this out already but there is a
contradiction in key sizes for RSA signatures between 3850bis
and 3851bis.
See above.
7) Error in reference [SMIMEv2] in both 3850bis and 3851bis;
PKCS#7 is RFC 2315.
Fixed