On Tue, Oct 5, 2010 at 18:56, Douglas E. Engert <deeng...@anl.gov> wrote:
> On 10/5/2010 10:04 AM, Martin Paljak wrote:
>>
>> Hello
>> On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert<deeng...@anl.gov> wrote:
>>
>>> With OpenSSL-1.0.0a pkcs11-tool -M shows:
>>>
>>> Supported mechanisms:
>>> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen
>>
>>>
>>> Without OPenSSL, pkc11-tool -M
>>> RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt
>>>
>>> Note that verify is not listed without OpenSSL, as the
>>> pkcs11/openssl.c adds the OpenSSL hash and verify functions.
>>
>> Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with
>> OpenSSL.
>
> Looks like pkcs11/framework-pkcs15.c line 1348 has #ifdef ENABLE_OPENSSL
> that will add this mech.
That's something that needs to be looked into at some stage.
>
> Also, OpenSC (and most smart cards) currently only do
>>
>> properly keys up to 2048 bits.
>
> The NIST 800-73-1 (March 2006) specs called for the PIV applet to
> optionally support 3072 bit keys. So that is what the driver says
> is available. Since the ordinary user can not generate a key on the
> card, and the only keys that can be used are tied to certificates,
> the actual size of the key is determined from the certificate.
It would be nice to support 3072b keys. I have a CryptoStick (OpenPGP)
that support such keys but I've not yet got around to trying to use it
with OpenSC.
> NIST 800-78-2 February 2010, has a nice chart of required key sizes
> and 1024 bit keys are to be gone by 12/31/2013, in all cases. There
> is no mention of 3072 bit keys, and I don't think there are any
> PIV cards that support them today, but i don't think it hurt to say
> the card supports 3072.
>
> But 800-78-2 is also pushing for ECDSA p-256 and p-384 for certificates,
> and ECDH for Key Management. So the trend appears to be to use EC keys
> rather then larger and larger RSA keys.
Correct. But I think it will take a few years before EC is as
widespread and available as RSA is today.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
