RE: Last ditch proposal for crypto suites

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

> > As a practical matter requiring keys to be multiples of 32 bits is
> > also a good idea (there is a 1000 bit key in use).
> 
> Could you expand on this?  I don't see how this helps either
> interoperability or security.  

Long ago we generated a 1000 bit key and discovered all sorts of 
interesting bugs when other people tried to use the cert with their
code. Basically it is a matter of testing the large integer math 
on the crypto toolkits and being sure it has been done.


> We've run into interoperability issues when moving private keys
> between different RSA implementations due to assumptions made about
> the precise modulus size or the precise size of the primes.  
> 
> I'd hate to see the same happen for public keys as well, and I'd
> prefer to avoid forcing customers to regenerate their long-term keys
> to migrate to IKEv2.

Are odd key sizes common?


I would see this as very much an 'accept all/only generate' type
situation. Clearly there is no value in forcing regenration of 
keys. However I am somewhat nervous about the support and 
interoperability for odd shaped key sizes.

Again it is an issue of testing. I think it is reasonable to test
a key pair of every size from 1024 bits thru 2048 at 32 bit intervals,
at 1 bit intervals it would get very tedious indeed. Also we can even 
specify test vectors at those intervals.


		Phill