I think it wouldn't hurt to use 2048 bit RSA keys for anything that supports them. I've been using 2048 bit RSA keys with PGP since 1995 based on the assumption even given uncertainty about the future of factoring that double the key size can't hurt, and didn't make any significant difference to message processing time.
Mixmaster is an example of an application which could benefit from larger key sizes, given the presumed long-term assurances one would like about it's anonymity. There was some discussion a while ago about a candidate mixmaster version 3 protocol: http://www.eskimo.com/~rowdenw/crypt/Mix/draft-moeller-v3-01.txt I made some comments at the time about a way to reduce the space overhead of using RSA: http://archives.seul.org/freehaven/dev/Jun-2000/msg00029.html by reusing some of the space inside the RSA encrypted message to transport part of the chained encrypted message as well as the symmetric keys. I think this would allow 2048 bit keys without increasing the already 50% overhead of key-exchange to message with mixmaster. (10k for each). The other thing mixmaster really needs is forward secrecy, ideally end-to-end forward secrecy, but hop-by-hop forward secrecy would be a start. Lack of forward-secrecy leaves remailer operators open to a fair risk of subpoena attack if someone went to the trouble of having an ISP record the incoming messages. The other current weak point is DSA signature key sizes maxing out at 1024 bits due to the SHA1 hash output size. I presume that in due course NIST will make an extended DSA to go with the extended SHA1 (SHA-256, SHA-384 and SHA-512). But signatures key strengths aren't so important for forward secrecy as encryption key strengths; you only have to be convinced that current adversaries can't forge them given the current signature size you're using. If at some point in the future after you've upgraded your key sets to larger signature keys, it's not as significant if someone can go back and forge old small key signatures. Adam On Sat, Mar 23, 2002 at 05:42:34PM -0800, Lucky Green wrote: > [about value of upgrading key sizes, triggered by discussion of > potential implications of Bernstein's paper].
