On Mon, May 21, 2007 at 02:44:28PM -0400, Perry E. Metzger wrote: > http://www.physorg.com/news98962171.html > > My take: clearly, 1024 bits is no longer sufficient for RSA use for > high value applications, though this has been on the horizon for some > time. Presumably, it would be a good idea to use longer keys for all > applications, including "low value" ones, provided that the slowdown > isn't prohibitive. As always, I think the right rule is "encrypt until > it hurts, then back off until it stops hurting"...
When do the Certicom patents expire? I really don't see ever longer RSA keys as the answer, and the patents are I think holding back adoption... FWIW, Postfix 2.5 in Q1 08 will have EC support when compiled with (likely officially released by then) OpenSSL 0.9.9, the recommended curve is "prime256v1" with "secp384r1" for "encrypt until it hurts" users :-). The other issue is that sites will need multiple certs during any transition from RSA to ECC, because the entire Internet won't upgrade overnight. I am not expecting public CAs to cooperate by charging the same price for two certs (RSA and ECC) for the same subject name(s), this also may significantly impede migration. With EECDH one can use ECDH handshakes signed with RSA keys, but that does not really address any looming demise of 1024 bit RSA. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]