Re: Fwd: Re: IKEv2 Key Size Conformance Requirements

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Sommerfeld <sommerfeld@east.sun.com> writes:
    >> My opinion is that the conservative course is to only require
    >> support of 1024 and 2048 bit keys, but I really don't much care (so
    >> long as we make a decision).

    Bill> Unless someone can demonstrate there's a meaningful difference in
    Bill> security between a 1022-bit and a 1024-bit key, may I suggest that
    Bill> Postel's rule of thumb ("Be liberal in what you accept and
    Bill> conservative in what you send") applies here?

    Bill>  - MUST generate keys with moduli which are exactly at these bit sizes
    Bill>  - SHOULD accept keys with moduli even if slightly smaller than the mandatory 
    Bill> sizes.

  I strongly agree.
  The FreeSWAN default key size is presently 2192 bits. Why that number?
Because it is a bit bigger than 2048.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPcbe4YqHRg3pndX9AQHJUQP9FR4dFVN9j9UdKEERY6iPfY/+BR2MQfYC
Nj/CzORy52mvUb7TtrMsVfGynAYTZMaBTCR/RBJgl5O3zk9IZzeF/eaS+G+8Zdga
q7YQvcJFq4X/sYAlIwe8LFpts5YPvJZk2Mn3luy9H2ln2mqlzBjjDCT2BXia93+H
WiNVamPtzRg=
=DTiE
-----END PGP SIGNATURE-----