On 14/09/2010 13:15, Perry E. Metzger wrote: > The decision that 1024 bit keys are inadequate for code signing is > likely reasonable. The idea that 2048 bits and not something between > 1024 bits and 2048 bits is a reasonable minimum is perhaps arguable. > One wonders what security model indicated 4096 bits is the ideal > length....
Given their constraints, what they say (i.e. "to be on the safe side") seems entirely reasonable. Code signing and verification do not occur with great frequency, so a big key is not a big problem. In general, we should resist the temptation to pare security protocols down to the bare minimum - it is this tendency that gave us, for example, the TLS renegotiation attack. A little bit of belt and braces and that would have been a non-issue. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com