Olaf M. Kolkman wrote:
On Wed, 15 Jun 2005 12:26:07 +0200
"Olaf M. Kolkman" <[EMAIL PROTECTED]> wrote:
On Wed, 15 Jun 2005 10:55:42 +0100
Ben Laurie <[EMAIL PROTECTED]> wrote:
One thing that hasn't been noted, as far as I can see, is that there's
not much point having a key longer than your parent's key.
Good catch... Thanks
I thought about this a little more but I am not sure what you said
holds.
You can have a longer key than your parent's zone if has made a
different tradeoff between length and key-effectivity period than
yourself. E.g. your parent uses a 1000 bits key for 2 months and you
use a 2048bit key for 3 years.
Its true that there's a complication introduced by key effectivity
period. But given that the most efficient factoring algorithms take time
O(e^2(ln(q)ln(ln(q)))^.5) (where q is the number to be factored), for
practical key sizes, this means that doubling the keysize causes such an
astronomical increase in work factor (e.g. 2048 bits takes 10^29 times
as long as 1024 bits) that you may as well ignore the trivial difference
the effectivity period makes.
Or, to turn it on its head, to have a key that would take twice the time
to crack as a 1024 bit key, use 1033 bits.
Besides it may be that your local policy dictates that you verify your
own domains with locally configured trust anchors that may consist out
of more bits than the weakest link validation chain.
This is indeed true, but an orthogonal point.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
