On 09/08/2013 02:00 PM, Leo Gaspard wrote:
And this means that, as long as the drawbacks associated with the use of the key are assumed by the key owner only (as the tables state, encrypt and verify operations being almost unchanged in time), preconizing 10kbit RSA keys is no issue, and can only improve overall security, to the key owner's usability's detriment at most.
The problem here is the "knowledge sieve" issue. Ole asked some questions and did some research, then filtered what he got back through a mixture of his preconceived notions, desires, etc. I'm not saying that he picked only the data that agreed with his desired conclusion, but he seems to have studiously ignored all of the facts that point to why what he's trying to do is a bad idea.
Now the next reader is going to come along, very likely someone who is more naive about encryption than Ole is, and filter that blog post through his own preconceptions, impatience, etc.; and come to the conclusion, "If I make a 10k key it'll be safe for life!" Has Ole done this reader a disservice?
I think the biggest disservice is a false sense of security. If your attacker can only pole vault 10 meters, and you already have a fence 1,000 meters high, does a 100,000 meter fence make you any more secure? And what happens if your attacker develops a technique that is universally effective against all fences, no matter the height?
The flip side question is, "What harm is there to using a 10k key?" Aside from CPU and storage for the user of the key, everyone else in the community bears part of the "cost" when they have to verify a signature on an e-mail, for example. Is that a serious enough problem to cause us to wish no one would suggest the use of 10k keys? I don't know.
... and all of this is presupposing that his "only a guess" has any validity to it at all. I don't know the work by Arjen K. Lenstra and Eric R. Verheul that he based his graph on, and I have no idea if Ole's method of projecting key sizes out into the future is valid. What I DO know (and Robert emphasized this point in his first post), is that those authors, and other serious heavyweights in the crypto community have not felt comfortable doing what Ole has done. That fact alone should be enough reason for anyone not to take Ole's blog post seriously.
Doug _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
