Re: IKEv2 Key Size Conformance Requirements

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 12:11 PM -0400 10/25/02, Housley, Russ wrote:
>I am a bit confused by the text in IKEv2-03.  I repeat a few 
>paragraphs from section 6:
>
>    X.509 certificates containing and signed by RSA keys of size 512,
>    768, 1024, and 2048 bits. (It SHOULD accept RSA keys of any multiple
>    of 8 bits in size from 512 bits to 4092 bits, and MAY accept RSA keys
>    of any size).  If there is a limit on the size of an X.509
>    certificate, it MUST be at least 8K. If there is a limit on the
>    length of a certificate chain, it MUST be at least 10.
>
>    X.509 certificates containing and signed by DSS keys of size 512,
>    768, 1024, and 2048 bits. (It MAY accept DSS keys of any size).
>
>Here are my concerns:
>
>1.  The first sentence  of the first paragraph does not contain a 
>MUST.  I think we want implementation to be able to perform RSA 
>public key operations using 512, 768, 1024, and 2048 bit RSA public 
>keys.

On the grammar point, the sentence preceding these paragraphs makes 
it seem like the MUST is there, but the MUST appears later as well. A 
little grammarizing needed here.

On the list of actual key sizes, 512 and 768 should be removed from 
both lists. They are too small for modern security use.

Why are DSS certificates a MUST? Few people support them, and the 
amount of interop testing for them is negligible.

Why are every multiple of 8 bits required? Does anyone use these in real life?

Proposed new wording:

   A conforming implementation MUST be able to authenticate with X.509
   certificates containing and signed by RSA keys of size 1024, 1536, and
   2048 bits. It MAY process X.509 certificates of any size. If there is a
   limit on the length of a certificate chain, it MUST be at least 10.

   A conforming implementation MAY accept X.509 certificates containing
   and signed by non-RSA keys, such as DSS keys.


--Paul Hoffman, Director
--VPN Consortium