On Thu, May 24, 2007 at 01:01:03PM -0400, Perry E. Metzger wrote: > > Even for https, it costs no more to type in "2048" than "1024" into > your cert generation app the next time a cert expires. The only > potential cost is if you're so close to the performance line that > slower RSA ops will cause you pain -- otherwise, it is pretty much > costless. For average people's web servers most of the time, > connections are sufficiently infrequent and RSA operations are "fast > enough" that it makes no observable difference.
I don't buy it. I build HTTP load balancers for a living, and for basically all of our customers who use our HTTPS accelleration at all, the cost of 1024-bit RSA is already, by a hefty margin, with hardware assist, the limiting factor for performance. Look at the specs on some of the common accelelrator families sometime: 2048 bit is going to be quite a bit worse. Busy web sites that rely on HTTPS are going to pay a fairly heavy price for using longer keys, and not just in cycles: the few hardware solutions still on the market that can stash keys in secure storage, of course, can stash exactly half as many 2048-bit keys as 1024-bit ones. Users who care about HTTPS performance aren't as rare, I think, as you think. What's more frustrating is the slow rate at which accellerator vendors have moved ECC products towards market. That's not going to help with adoption any. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
