> On Sep 28, 2015, at 10:39 PM, Michael Richardson <[email protected]> > wrote: > > > Yoav Nir <[email protected]> wrote: >> “Some point” has arrived, and I don’t think group #2 should even be >> SHOULD- at this point. > > MAY or SHOULD NOT?
I’m thinking SHOULD NOT. Everyone phased out 1024-bit RSA signatures a few years ago. It can be argued that 1024-bit key agreement is worse than 1024-bit signatures, because if the attacker will be able to crack 1024-bit RSA or DH in 2018, then they can break any IKE that they recorded today that uses the 1024-bit MODP group. OTOH knowing how to break 1024-bit RSA in 2018 doesn’t help them impersonate anyone today, so a safety margin seems more important for D-H than for signatures. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
