Re: speaking of keys

[daw@mozart.cs.berkeley.edu (David Wagner)]

The Purple Streak, Hilarie Orman wrote:
>The security of a 1024-bit DH is too small for my comfort (that of a
>reasonable paranoid) for a single key exchange.

But is it too small for the MUST requirement in the RFC?

As I see it, we have to balance two costs here.  If we require a
1024-bit modulus, there is a risk it will get broken in our lifetime.
If we require a 2048-bit modulus, some people will not use IPSEC because
it is too slow (this is not just a risk; this is for sure).  How do we
balance these two?

At the moment, I'm inclined to suggest a 1024, 1200, or 1500-bit modulus
for the MUST requirement.  One thing I've learned from the 802.11 fiasco
is that defaults matter, and it doesn't matter how good your crypto
is if noone uses it (did you know that more than half of all 802.11
networks are still running unencrypted?).  It seems unlikely to me that
the Diffie-Hellman will be the weak point in most deployed systems, so I
suspect the more conservative thing to do may be to maximize the number
of systems using IPSEC.  But, I don't feel all that strongly about it,
and I won't complain if some other size is chosen.