> On Apr 25, 2022, at 1:31 PM, Havard Eidnes <h...@uninett.no> wrote: > >>> On Apr 25, 2022, at 11:20 AM, Petr Menšík <pemen...@redhat.com> wrote: >>> I think the only good way would be starting considering shorter keys as >>> insecure in FIPS mode. >> >> Agreed. We've been using 2408-bit ZSKs for more than ten years now. It's >> definitely time to sunset acceptance of shorter keys at this point. > > Well, as Bjørn Mork said, it's one thing to insist on generating own RSA > keypairs with >= 2048 bits or convert to using ECDSA, it's quite another to > insist that all the rest of the world do this conversion RIGHT NOW. I'm > guessing that changing at least some of these will take a while, not perhaps > first and foremost for technical reasons.
I don’t disagree at all. But we’re never going to get there if we don’t start.
And there will always be people who don’t get anything done if they’re not
pushed. So I don’t know where that leaves us, other than “we need to start
pushing."
-Bill
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
