On Apr 25, 2022, at 15:32, Bill Woodcock <wo...@pch.net> wrote: > > > >> On Apr 25, 2022, at 1:31 PM, Havard Eidnes <h...@uninett.no> wrote: >> >>>>> On Apr 25, 2022, at 11:20 AM, Petr Menšík <pemen...@redhat.com> wrote: >>>>> I think the only good way would be starting considering shorter keys as >>>>> insecure in FIPS mode. >>> >>> Agreed. We've been using 2408-bit ZSKs for more than ten years now. It's >>> definitely time to sunset acceptance of shorter keys at this point. >> >> Well, as Bjørn Mork said, it's one thing to insist on generating own RSA >> keypairs with >= 2048 bits or convert to using ECDSA, it's quite another to >> insist that all the rest of the world do this conversion RIGHT NOW. I'm >> guessing that changing at least some of these will take a while, not perhaps >> first and foremost for technical reasons. > > I don’t disagree at all. But we’re never going to get there if we don’t > start. And there will always be people who don’t get anything done if > they’re not pushed. So I don’t know where that leaves us, other than “we > need to start pushing."
I don’t think this is much of a problem either since it’s limited to FIPS mode. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
