On Thu, Jan 21, 2010 at 9:09 PM, Paul Wouters <p...@xelerance.com> wrote: > On Thu, 21 Jan 2010, Eric Rescorla wrote: > >>>> The point is that the numbers depend on your model of the attacker >>>> more than on the cryptography. > >> Yes, but my point is that the safety period depends on your assumptions >> about the attacker's resources, which is why this is not really a >> technical >> issue. > > It is also based on the presumed technological advances of attackers. If > you talk to a cryptographer about a 1024 bit RSA key, they will tell you > "don't use that anymore". When you tell them "well, it is very useful > to us to reduce packet size in DNS" they tell you "go use ECC". > > We made a technological trade of. Though extremely conservative, all the > cryptographers (or really cryptanalysts) I talked to are more conservative > then we have been. Whether you call this technical or philosophical, does > not really change the issue. The model of the attacker is a fundamental > part of the cryptography.
I really have no idea what you're talking about here. There is widespread agreement about the technical difficulty of attacking RSA. The question of how that impacts your behaviors has primarily an economic question, not a cryptographic one. With that said, cryptographers actually don't tend to think particularly deeply about the attack model; rather they assume a certain fairly idealized model of attacker capabilities and try to demonstrate that their systems have certain properties under those models. This is fundamentally different from the kind of thinking required here. -Ekr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
