On Fri, Mar 28, 2014 at 11:28 AM, Thierry Moreau < thierry.mor...@connotech.com> wrote:
> On 03/27/14 13:56, Nicholas Weaver wrote: > >> >> >> So why the hell do the real operators of DNSSEC that matters, notably com >> and ., use 1024b RSA keys? >> >> And don't give me that key-roll BS: Give me an out of date key for . and >> a MitM position, and I can basically create a false world for many >> DNSSEC-validating devices by also providing bogus time data with a MitM on >> NTP... >> >> > [Did not read all the discussion.] > > Suppose I agree with the rationales for keys larger than 1024. Under some > relatively paranoid assumptions in the threat model, they make sense. > > Turning to the solution space, why not 1280 or 1459? Then increase by ever > smaller jumps every two years. > > Is it possible that the whole IT security community is social-engineered > into thinking that anything below 2048 is inadequate for any purpose. > Because the larger the RSA key size recommendations, the less severe the > relative ECC performance cost on digital signature verification operations. > Thus the ECC promoters have an in interest in the underlying expert > community wisdom. No, its due to the math. 1024 bit is roughly an 80 bit work factor 2048 is roughly 112 bit work factor This is the reason there is the expectation we have to move to EC approaches. Longer RSA key sizes deliver diminishing returns. The underlying problem is that the strength of RSA is strongly connected to the distribution of primes. And even though primes become more scarce at higher numbers, they do not become exponentially more scarce or else we couldn't use 2048 bit RSA because it would take exponentially longer to find the primes. There are steps we could take to make RSA less of a burden. We could use key compression for a start. It is actually possible to convey a 2048 bit key in 1024 bits. We could also use one of the key compression schemes but I am not sure if those are the source of the vulnerabilities that discourage use of RSA. -- Website: http://hallambaker.com/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
