Petr Menšík <pemen...@redhat.com> writes:

> Our crypto team is
> responsible for preparing RHEL 9 for FIPS 140-3 certification. They said
> there is legal obligation to stop using all RSA signatures with keys
> shorter than 2048 bits.

Either they're wrong or you're misquoting them by merging "signing" and
"verifying" into the confusing and misleading term "using".  FIPS 140-3
is a bit more specific than that, fortunately.

See table 2 in
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
which shows the status of RSA keys with 1024 ≤ len(n) < 2048 for Digital
Signature Verification as "Legacy use".

The text following that table provides more detail:

  Key lengths providing less than 112 bits of security that were
  previously specified in FIPS 186 are allowed for legacy use when
  verifying digital signatures.

and

  RSA: See FIPS 186-239 and FIPS 186-4,40 which include modulus lengths
  of 1024, 1280, 1536 and 1792 bits, may continue to be used for
  signature verification but not signature generation


Bjørn

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to