Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
From: "Mark D. Baushke" <mdb%juniper.net@localhost>
Date: Tue, 10 Nov 2015 01:01:05 -0800

Damien Miller <djm%mindrot.org@localhost> writes:

> On Sun, 8 Nov 2015, denis bider wrote:
> 
> > (1) I have uploaded a new version of the RSA SHA-2 draft:
> > 
> > https://tools.ietf.org/html/draft-rsa-dsa-sha2-256-02
> 
> Some feedback on the draft:
...elided...
> Is it worthwhile to specify a minimum key size for the new signature
> schemes?

Hmmm... I am not sure. I would suggest a minimum of 2048 or 3072 would
seem to fit, but that might already be covered from RFC 4251 which has:

RFC 4251 Section 4.4 Security Properties says:

"All algorithms are used with cryptographically sound key sizes
 that are believed to provide protection against even the strongest
 cryptanalytic attacks for decades."

Do we believe that 112 bits of security will (i.e., RSA 2048-bit keys)
will last for decades? If not, do we want to go for RSA 3072-bit keys
with 128 bits of security (like AES-128) and SHA2-256?

Or, should we let the developers just choose what they will and hope for
the best?

	-- Mark

References:
- Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
  - From: denis bider
- Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
  - From: Damien Miller

Prev by Date: RE: Experimental server for RSA SHA-2
Next by Date: RE: Experimental server for RSA SHA-2
Previous by Thread: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
Next by Thread: Re: Updated RSA SHA-2 draft / New draft: SSH Extension Negotiation
Indexes:

Home | Main Index | Thread Index | Old Index