Getting DNSSEC deployed with sufficiently large KSKs should be priority #1.
If 90 days for the 1024-bit ZSKs is too long, that can always be
reduced, or the ZSK keylength be increased -- we too can squeeze factors
of 10 from various places. In the early days of DNSSEC deployment the
opportunities
On Thu, 15 Oct 2009, Jack Lloyd wrote:
> Even plain DSA would be much more space efficient on the signature
> side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
> 1024 bit RSA key, and the signatures would be half the size. And NIST
> allows (2048,224) DSA parameters as well, if
A bit too far for a quick visit (at least for me):
http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm
-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending "u
> Even plain DSA would be much more space efficient on the signature
> side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
> 1024 bit RSA key, and the signatures would be half the size. And NIST
> allows (2048,224) DSA parameters as well, if saving an extra 8 bytes
> is really tha
On Thu, Oct 15, 2009 at 12:39 AM, Jack Lloyd wrote:
> On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote:
>> If the constraints elsewhere in the system limit the number of bits of
>> signature you can transfer, you're stuck. Presumably over time you'd
>> want to go to a more bit-effic