[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
> a 512 signing a 1024 seems insecure, to me.
Not necessarily, if the smaller key is a short-term key and the larger
key is a longer-term key. An odd configuration, no doubt, but I know
at least some people like the idea of on-line CA's which give out
short-term certs...
Also, it's not immediatley clear how to compare (e.g.) RSA and DSS key
lengths. It's certainly technically possible to have a cert signed by
a DSS key which contains an RSA key and vice versa.
Moreover, the "all keys must be the same length" restriction seems
tailor-made to prevent the gradual deployment of longer-length keys
through a network.
For this and other reasons I think the "all key lengths must be the
same" restriction should be removed from the draft.
- Bill
Follow-Ups: