On Mon, Mar 1, 2010 at 5:26 AM, Rose, Scott W. <scott.r...@nist.gov> wrote: > The 1024 bit key guideline is for response sizes (biggest stumbling block > we've encountered so far in .gov deployment). > > The rollover frequency is largely based on an extended time frame. The > extended roadmap is to try and migrate to ECC by 2015, and there is some > belief that 1024 bit RSA might become "breakable" in months (with reasonable > cost - for some definition of "reasonable") by 2015. I remember some paper > being reference, but I don't recall which one. And no, I don't fully > understand all of it either, but the near goal (response size) was met, > which was the primary concern for now given the deployment deadlines within > Federal IT security.
I don't really see how this addresses the question without some definition of "reasonable". If a key is breakable at cost C in M months, then it's breakable at cost Cx in M/x months. Since the x values we're talking about here are on the order of 10, then you're basically claiming that you can estimate the attacker's capabilities to within a factor of 5-10, which seems fairly implausible. Even if you do think this is true, it would be far more effective to simply use fractionally larger RSA keys. My understanding is that the major obstacle to using (for instance) 1100-bit RSA keys is that NIST only accepts a small number of concrete key sizes for FIPS 140. If so, rather than specifying a short rollover time, perhaps NIST could address that. > Overall, US Federal gov't security policy errs on the side of caution. > Frequent rolling of keys is seen as good practice, even if the evidence on > its effectiveness isn't fully proven. It's not at all clear to me that this errs on the side of caution. After all, there are potential risks of exposure with rolling keys all the time, since it comes with higher management overhead. -Ekr _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
