At 2:17 PM -0500 1/21/10, Edward Lewis wrote: >At 11:05 -0800 1/21/10, Eric Rescorla wrote: >>I still don't understand why this implies the need for regular changes >>as opposed to changes triggered by personnel changes. > >I'm a bit lost following this thread now. > >For the time being, let's ignore personnel changes and whether a key is in an >HSM (environment), i.e., assume there's no organizational threat to a key. > >The question is, how long does a key last? > >Meaning - if I am using an RSA-SHA256 key of 1024 bits, at what point does >it's security value reach essentially 0? > >Is the point X number of signatures?
No. There is no suspicion on the part of any cryptographer that I know of that the number of visible signatures is significant for a 1024-bit or above key. >Is the point Y number of days? Yes, if the number of days is in the thousands (currently) and the value of this key is high. Otherwise, no. >Is the point a function of X and Y? No, just Y. >Is there even a point at all? For most keys, no, at least for the next five years or so. That is, the *cost* of breaking a 1024-bit key, when that is feasible, is still much higher than the value of the broken key. Remember that a broken signing key is only valuable until the fact that it is broken is discovered and fixed. So, even if an attacker breaks your signing key, when he/she starts to use it for nefarious purposes and you discover that, you roll your key and the entire time of breaking the new key must be used again before they can mount another attack. >Even now, more than 10 years after the first SE workshop, I have never heard >an expert or authority on cryptography give neither a concrete answer nor >direction on this. I have tried, repeatedly, to do so, but I am not an expert, nor apparently enough of an authority for you. Ekr is both; let's see if he likes my response above. > While I realize the answer isn't as simple as "after 43,253 signatures" or > "after 1348 days", I haven't heard anything that could be used as guidance in > an operational setting. See above. >The "need for regular changes" stems from assumptions made in the early days >of DNSSEC development that have gone pretty much unchallenged until recently. >The door is open to (re)visit this topic, if anyone wants to venture opinions. See above. :-) >What I'd like to hear is: > >"Crypto-expert __________ says an RSA-SHA256 key of 1024 bits is good for >_______ signatures/days." If you hear that, the the value for the first variable will be worthless. You have to factor in the value of the key to the attacker for the short period in which they can use it before their actions are discovered and the broken key is replaced. >That's what I'd like for my birthday present this year. You're better off wishing for a pony. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop