On Thu, Jun 07, 2018 at 02:02:23PM -0400, Paul Wouters wrote:

> >    And furthermore, on 64-bit systems SHA512 tends
> >    to be somewhat faster (more with larger input sizes), because
> >    it processes input in 64-bit blocks.  On my x86_64 laptop,
> >    running OpenSSL 1.1.1 beta 'speed -evp', gives:
> 
> At the time, we were more concerned about packet size than CPU usage.

The packet size for RSA algorithms depends only on the modulus,
not the underlying hash function, which just needs to generate
hashes slightly shorter than then modulus.  With RSA keys of 1024
or more bits, SHA256 and SHA512 both fit, and produce signatures
of the same size.

> >    So I am not sure that algorithm 10 warrants discouragement so
> >    long as 8 is required.  Everyone is going to have both, and
> >    they're basically the same...  While the case *for* 10 is not
> >    strong, the case against 10 looks somewhat weak (does supporting
> >    10 for signing carry a real cost?)
> 
> I hope it is now clearer why we are doing this?

Well, I see that we end up with a bit less code-point diversity,
but in this case 8/10 are barely different and require the same
supporting code.  So while I'm not strongly advocating 10, I see
it just a "tweak" of 8, and would expect to not differentiate
between them, use either, interoperate with neither or both...

Again, this comment is not an objection just saying that I would
have treated 8 and 10 as interchangeable.

-- 
        Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to