Petr Menšík <pemen...@redhat.com> writes: > Our crypto team is > responsible for preparing RHEL 9 for FIPS 140-3 certification. They said > there is legal obligation to stop using all RSA signatures with keys > shorter than 2048 bits.
Either they're wrong or you're misquoting them by merging "signing" and "verifying" into the confusing and misleading term "using". FIPS 140-3 is a bit more specific than that, fortunately. See table 2 in https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf which shows the status of RSA keys with 1024 ≤ len(n) < 2048 for Digital Signature Verification as "Legacy use". The text following that table provides more detail: Key lengths providing less than 112 bits of security that were previously specified in FIPS 186 are allowed for legacy use when verifying digital signatures. and RSA: See FIPS 186-239 and FIPS 186-4,40 which include modulus lengths of 1024, 1280, 1536 and 1792 bits, may continue to be used for signature verification but not signature generation Bjørn _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop