On Tue, 14 Sep 2010 12:01:22 -0300 Henrique de Moraes Holschuh <h...@hmh.eng.br> wrote: > On Tue, 14 Sep 2010, Perry E. Metzger wrote: > > The decision that 1024 bit keys are inadequate for code signing is > > likely reasonable. The idea that 2048 bits and not something > > between 1024 bits and 2048 bits is a reasonable minimum is > > perhaps arguable. One wonders what security model indicated 4096 > > bits is the ideal length.... > > Key lifetime in Debian can be very long, 10 to 15 years.
That may be longer than is reasonable. Technologies shift, and having the capability to update keys over the course of years may be superior to attempting to guess (without sufficient information) what the right key length in 2025 would be. Recall that it is also difficult to keep a private key secure for decades, so 15 years may be longer than it is reasonable to assume that the physical key is safe from actual outright theft or even accidental disclosure. Also, every once in a while, it turns out that one's random number generator or algorithms are not what they should have been. One needs a way of updating keys even if one is reasonably sure that brute force attacks will not work over the period. Given that, attempting to secure the system with a massive key is probably a bad tradeoff. > I'd appreciate some input from this list about the Debian bias > towards 4096 RSA main keys, instead of DSA2 (3072-bit) keys. Is it > justified? I'm not sure why the tradeoff would be between a particular seemingly arbitrary RSA size and a particular seemingly arbitrary DSA size. I would suggest instead selecting the algorithm and key length independently. > These keys are used as KSK, as gpg will happily attach subkeys to > them for the grunt work... I'll open the floor to further discussion now... Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
