On 24 jan 2012, at 17:15, Ondřej Surý wrote:
> Any opinions?
I very much disagree. There is no reason to stop recommending 1024-bits RSA
keys. I did ask Paul Hoffman, and got the following reply:
"A 1024 bit keys whose value is under US$100M is secure for many years in the
future; see RFC 3766. No one has even publicly broken an 800-bit key (other
than one "special" 1024 bit key that was really 768 bits of strength), ever.
The leap from 800 to 1024 is huge unless there is a significant new
cryptographic technique discovered. If such a technique is found, it might
apply to 1280 bit keys as well: there is no way to tell because it hasn't been
discovered."
Paul continues with:
"In specific, RFC 3766 (of which I am co-author) refers to an adversary that is
willing to spend US$1trillion (yes, "trillion" not "billion"). We did that on
purpose. No DNSSEC key is worth that much, so no adversary would spend that
much to break it. RFC 4359 refers to guesses made in the original TWIRL
specification, and those guesses have never been tested in public. TWIRL might
still become real, but if it does, there is no way to predict if TWIRL-next
will also work on 2048-bit keys. If someone is willing to spend tens of
millions of dollars to develop TWIRL, they'll spend an equal amount improving
it past 1024 bit keys; we don't know how far it would go.
If you are relying on guesses about massive improvements in integer
factorization in RSA (which are believable even if they are unpredictable), you
are much safer going with ECDSA keys than trying to guess the limits of the key
size that will be *not* be affected by the unpredictable improvement."
'nuff said.
jakob
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
