Thanks, Paul. At 11:32 AM -0400 4/24/09, Paul Wouters wrote: >So it seems to me that using 1024 bit RSA keys for ZSK, and 2048 bit >keys for KSK, assuming RFC 4641 rollover periods, are still many orders >of magnitude safe for our use within the DNSSEC realm. In fact, it >seems RFC4641, as written in 2006, is still extremely conservative in >its estimates two and a half years after its publication date.
That is fine, but so is 1024 bit KSKs. The text in RFC 4641bis makes it clear that KSKs should be rollable in case of an emergency; the effort to do so is greater, but not that much greater, than rolling a ZSK. The WG should decide which seems better to recommend: a) KSKs longer than ZSKs because KSKs are thought of as needing to be stronger b) KSKs the same strength as ZSKs because neither should be weak enough to be attacked I prefer (b), but (a) keeps coming up in this discussion. >Note that the same does not apply for DSA. As I understood it, DSA >requires the use of some randomness for each signature, and the errors >in the random number generator are cummulative when attempting to crack >this key. In other words, the more data you sign, the more vulnerable >you become to the tiniest imperfection in your HWRNG. That's not the problem. If the per-message random number used in signing is found, the private key is disclosed; there is no requirement for a cumulative error. That has not proven to be a problem for DSA in its current uses, but the random number generator *must* always be a concern. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
