On 22/09/13 03:07 AM, Patrick Pelletier wrote:
On 9/14/13 11:38 AM, Adam Back wrote:
Tin foil or not: maybe its time for 3072 RSA/DH and 384/512 ECC?
I'm inclined to agree with you, but you might be interested/horrified in
the "1024 bits is enough for anyone" debate currently unfolding on the
TLS list:
http://www.ietf.org/mail-archive/web/tls/current/msg10009.html
1024 bits is pretty good, and there's some science that says it's about
right. E.g., risk management says there is little point in making a
steel door inside a wicker frame.
The problem is more to do with distraction than anything else. It is a
problem that people will argue about the numbers, because they can
compare numbers, far more than they will argue about the essentials.
There is a psychological bias to beat ones chest about how tough one is
on the numbers, and thus prove one is better at this game than the enemy.
Unfortunately, in cryptography, almost always, other factors matter more.
So, while you're all arguing about 1024 versus 4096, what you're not
doing is delivering a good system. That delay feeds in to the customer
equation, and the result is less security. Even when you finally
compromise on 1964.13 bits, the result is still less security, because
of other issues like delays.
and there was a similar discussion on the OpenSSL list recently, with
GnuTLS getting "blamed" for using the ECRYPT recommendations rather than
1024:
http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html
Yeah, they are getting confused (compatibility failures) from too much
choice. Never a good idea. Take out the choice. One number. Get back
to work.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
