[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Re: IKEv2 Key Size Conformance Requirements

To: pgut001@cs.auckland.ac.nz (Peter Gutmann), ipsec@lists.tislabs.com
Subject: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Wed, 30 Oct 2002 10:31:57 -0800
In-Reply-To: <200210301429.DAA242004@ruru.cs.auckland.ac.nz>
References: <200210301429.DAA242004@ruru.cs.auckland.ac.nz>
Sender: owner-ipsec@lists.tislabs.com

At 3:29 AM +1300 10/31/02, Peter Gutmann wrote:
>I don't recall ever seeing a 1536-bit key being used, unless it was one that I
>archived without looking at it much (I'd need a grepasn1 alongside dumpasn1 to
>actually check each cert).  As a rule of thumb, where a few years ago you had
>512-bit certs with the odd gold-plated 1024-bit one for CAs, you're now seeing
>1024-bit with 2048-bit gold-plated ones for CAs.  1536 seems to have been
>skipped entirely (I know that in several cases 2048 is used because that's the
>biggest the CA hardware will do, rather than because of any real security
>evaluation).  If anyone wants a rigorous check of certs, I'll see if I can
>come up with a RE which lets me check dumpasn1 output for the key size.
>
>Peter.

Peter is generally the best Keeper Of Interesting Certs around, so 
I'll trust his judgement on this. If no one here says "1536 is 
important to me", I'm fine with taking it out of the MUSTs.


--Paul Hoffman, Director
--VPN Consortium

References:
- Fwd: Re: IKEv2 Key Size Conformance Requirements
  - From: pgut001@cs.auckland.ac.nz (Peter Gutmann)

Prev by Date: Fwd: Re: IKEv2 Key Size Conformance Requirements
Next by Date: RE: Re: IKEv2 Key Size Conformance Requirements
Prev by thread: Fwd: Re: IKEv2 Key Size Conformance Requirements
Next by thread: RE: Re: IKEv2 Key Size Conformance Requirements
Index(es):
- Date
- Thread