Thank you for those references, they are very useful. I need to discuss our stance internally first. I think we should have a better response prepared.
It may take a few days to formulate and explain our direction. Thanks, Petr On 4/25/22 12:02, Bjørn Mork wrote: > Petr Menšík <pemen...@redhat.com> writes: > >> Our crypto team is >> responsible for preparing RHEL 9 for FIPS 140-3 certification. They said >> there is legal obligation to stop using all RSA signatures with keys >> shorter than 2048 bits. > Either they're wrong or you're misquoting them by merging "signing" and > "verifying" into the confusing and misleading term "using". FIPS 140-3 > is a bit more specific than that, fortunately. > > See table 2 in > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf > which shows the status of RSA keys with 1024 ≤ len(n) < 2048 for Digital > Signature Verification as "Legacy use". > > The text following that table provides more detail: > > Key lengths providing less than 112 bits of security that were > previously specified in FIPS 186 are allowed for legacy use when > verifying digital signatures. > > and > > RSA: See FIPS 186-239 and FIPS 186-4,40 which include modulus lengths > of 1024, 1280, 1536 and 1792 bits, may continue to be used for > signature verification but not signature generation > > > Bjørn > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
