[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Re: IKEv2 Key Size Conformance Requirements

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 Nov 2002 12:27:20 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <OF9C379683.848477F0-ON85256C67.00064160-85256C67.0007D05B@iris.com>
References: <OF9C379683.848477F0-ON85256C67.00064160-85256C67.0007D05B@iris.com>
Sender: owner-ipsec@lists.tislabs.com

At 8:25 PM -0500 11/3/02, Charlie_Kaufman@notesdev.ibm.com wrote:
>Based on this discussion, I propose change the MUST requirements to 1024
>and 2048 bit RSA keys (both public and private), with a MAY for all other
>sizes. I would expect most implementations would implement a large
>collection of sizes, but this avoids unnecessary growth of the testing
>matrix. (And yes, I'll fix the wording so that the MUST requirements have
>the keyword MUST in them).
>
>Objections? I'm concerned about the following:
>
>Bill Sommerfeld <sommerfeld@east.sun.com> wrote:
>>  For what it's worth, I'll repeat what I said last time.. *in real
>>  life* I've seen both PGP and SSH implementations generate keys with
>>  moduli which were a bit or two shorter than the desired size.
>
>Key generation implementations that pick random primes sometimes come up
>with moduli a bit or two shorter than they had intended. There is something
>to be said for explicitly allowing them by requiring support for such
>moduli. On the other hand, at one time the default CSP that shipped with
>Microsoft Windows had a restriction that it could only work with moduli
>that were a multiple of 8 bits (or was it 16 bits?) long. When I inquired
>at the time, I was told that they knew about the problem but had no plans
>to fix it. I don't know whether they have. There may be other
>implementations around with similar restrictions, so there is something to
>be said for disallowing keys that would break those implementations. My
>opinion is that the conservative course is to only require support of 1024
>and 2048 bit keys, but I really don't much care (so long as we make a
>decision).
>
>What about DSS keys? I made them a MUST in my draft, and one person
>protested. How many would protest if it were a MAY? I don't think DSS keys
>are much used, but it seemed politically correct to require them anyway. I
>don't even have an opinion on this one... just wrote what I thought would
>raise the fewest howls.
>
>           --Charlie

Charlie,

I think the 1024 and 2048 MUSTs for RSA are right, based on Peter's 
comments and my observations as well (e.g., from, my days as CTO for 
CVyberTrust).

I think DSS is not used much commercially, so a MAY might be about 
right here.  I'll ask my Gov contacts if they see this as a problem, 
i.e., do they need to use DSS certs with IPsec in commercial products.

Steve

References:
- Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: RE: Dead peer detection
Next by Date: Public key distribution methods?
Prev by thread: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Next by thread: Re: Fwd: Re: IKEv2 Key Size Conformance Requirements
Index(es):
- Date
- Thread