bmann...@vacation.karoshi.com writes: > er... there is the root key and there is the ROOT KEY. > the zsk only has a 90 day validity period. ... meets the > "spec" and -ought- to be good enough. that said, it is > currently a -proposal- and if credible arguments can be made > to modify the proposal, I'm persuaded that VSGN will do so.
Well, you might look at Ekr's argument, which I largely agree with. I think the two key observations are that 1024 bit keys are already considered iffy, large (perhaps hundreds of millions of dollars or even more) may be thrown by opponents at this particular key, and that technology for factoring will only get better. Given the sums that could be spent, very specialized hardware could be built -- far more specialized than ordinary PCs on which the problem doesn't scale that well in its most expensive steps. Security is usually not limited by cryptography in the modern world. Crypto systems are usually far stronger than opponents will to spend, and bugs are the more obvious way to attack things. However, if you're talking about a really high value target and "weak enough" crypto, the economics change, and with them so does everything else. Crypto being a potential weak spot is an exceptionally rare situation, but the DNS root key is insanely high value. We should also recognize that in cryptography, a small integer safety margin isn't good enough. If one estimates that a powerful opponent could attack a 1024 bit RSA key in, say, two years, that's not even a factor of 10 over 90 days, and people spending lots of money have a good record of squeezing out factors of 10 here and there. Finding an exponential speedup in an algorithm is not something one can do, but figuring out a process trick to remove a small constant is entirely possible. Meanwhile, of course, the 1024 bit "short term" keying system may end up staying in place far longer than we imagine -- things like this often roll out and stay in place for a decade or two even when we imagine we can get rid of them quickly. Do we really believe we won't be able to attack a 1024 bit key with a sufficiently large budget even in 10 years? Again, normally, crypto isn't where you attack an opponent, but in this case, I'd suggest that key length might not be a silly thing to worry about. There are enough people here with the right expertise. I'd be interested in hearing what people think could be done with a fully custom hardware design and a budget in the hundreds of millions of dollars or more. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com