On 03/27/14 13:56, Nicholas Weaver wrote:
So why the hell do the real operators of DNSSEC that matters, notably com and
., use 1024b RSA keys?
And don't give me that key-roll BS: Give me an out of date key for . and a MitM
position, and I can basically create a false world for many DNSSEC-validating
devices by also providing bogus time data with a MitM on NTP...
[Did not read all the discussion.]
Suppose I agree with the rationales for keys larger than 1024. Under
some relatively paranoid assumptions in the threat model, they make sense.
Turning to the solution space, why not 1280 or 1459? Then increase by
ever smaller jumps every two years.
Is it possible that the whole IT security community is social-engineered
into thinking that anything below 2048 is inadequate for any purpose.
Because the larger the RSA key size recommendations, the less severe the
relative ECC performance cost on digital signature verification
operations. Thus the ECC promoters have an in interest in the underlying
expert community wisdom.
-- Thierry Moreau
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
