At 1:05 PM -0500 1/25/10, Paul Wouters wrote: >On Mon, 25 Jan 2010, Edward Lewis wrote: > >>Last time I looked (a few months ago) most signed TLDs to use 2048 bit KSKs >>and 1024 bit ZSKs. Perhaps there is no reason to have two different sized >>keys, I would guess that since "a chain is only as strong as its weakest >>link" all keys could be dropped to 1024, or even less. > >The weakness of a key is partially determined by the length of its usage >period. If you plan to use the KSK for a period 12 times longer, making it >1024 is not making it equal to the ZSK strength of "1024 for 30 days"
Exactly right, but still mostly irrelevant. What is the value of the keys you are talking about? Is one so valuable that an attacker would spend the amount of money and time needed to break it? What value would they get from that attack? More importantly: could the attacker get move value from spending the money and time breaking a different key of the same size? Look at the myriad of 1024-bit keys in the world whose lifetimes are much longer than a year. If any of them would yield a better result for the attacker, he won't bother with yours; if yours is the highest value, he won't bother with the others. If you really believe that a 1024-bit ZSK key is the appropriate size for a month, then you only need something about 12 times as strong for the KSK under the same threat model. 1536 bits would be much more than you needed; a rough estimate would be 1200 bits. The reason these numbers are never discussed in DNSOP is because no one is discussing their actual threat model and the estimated value of the attacks. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
