> On May 8, 2017, at 12:46 PM, Paul Wouters <p...@nohats.ca> wrote: > >> The RSA KEY size allowed for these new supposed stronger Digest algorithms >> is still left at 1024 or 1280 bytes, even though number >> of other parts of the the Internet community will not consider signatures by >> keys with less than 2048 bits. > > Not only that, but the reason specified is to bump RSA from > RSASSA-PKCS1-v1_5 to RSASSA-PSS. As far as I know, the security > issues of RSASSA-PKCS1-v1_5 are that when using it to _encrypt_ > bogus data, it can be used as an oracle to obtain private key > bits. That means there is no on-the-wire security issue with > RSASSA-PKCS1-v1_5 for Digital Signatures. And if HSMs are used > to protect access to private keys, those keys should be marked > as "signing only keys" to avoid exposing the private key via this > attack if the machine with the HSM is compromised.
If we are going to stick with RSA signatures, then I agree that we should move toward RSASSA-PSS. However, if we are going to make a change, then it is probably time to move toward the shorter public keys offered by elliptic cure cryptography. Russ
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
