On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote: > If the constraints elsewhere in the system limit the number of bits of > signature you can transfer, you're stuck. Presumably over time you'd > want to go to a more bit-efficient signature scheme, perhaps using > ECC.

Even plain DSA would be much more space efficient on the signature side - a DSA key with p=2048 bits, q=256 bits is much stronger than a 1024 bit RSA key, and the signatures would be half the size. And NIST allows (2048,224) DSA parameters as well, if saving an extra 8 bytes is really that important. Given that they are attempted to optimize for minimal packet size, the choice of RSA for signatures actually seems quite bizarre. -Jack --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com