>>Furthermore, comparing the strengths of kex, auth, ciphering and PRF seems >>like comparing apples, orangles, pears and kumquants. >> >>Even if the nominal strengths are the same, the scaling of strengths is going >>to be different (e.g. the quadric vs. linear sub-treshold scaling for ECDH vs. >>symmetric). > > +1. It's just more numerology:
In that case, we should dispense with any larger key sizes and recommend exactly one per algorithm, and vary only on algorithm. Adopting this would simplify things even further by reducing the cipher set list by an order of magnitude. Sadly, I'm guessing there are numerological requirements in various standards and regulations that make it necessary to keep both AES-128 and AES-256 around, for example. There are also a ton of existing 2048-bit RSA keys that aren't going anywhere for a while. I'm also skeptical of statements like "Using any known technology it's unlikely that humans can ever get beyond about 2^^100 operations", because that's true exactly up until it isn't. An open question is whether the innovation that undoes this will also subsume much larger keys. Kyle _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
