Re: [sidr] I-D Action:draft-ietf-sidr-rpki-algs-03.txt

Tue, 12 Oct 2010 11:06:13 -0700

I think this version looks great with one exception. I believe the last paragraph in Section 5 (repeated below for convenience) should be deleted: 

 In anticipation of a potential need to transition to stronger
 cryptographic algorithms in the future, CAs and RPs SHOULD be able to
 generate and verify RSASSA-PKCS1-v1_5 signatures using the SHA-512
 hash algorithm and RSA key sizes of 3072 and 4096 bits.
I think we should require that implementations support algorithm agility, but I'd like to not presuppose the algorithms and key sizes for something that's going to happen 5-8 years down the road. Who knows maybe SHA3 will be so whiz bang maybe we'll want to move to it. If we added the following as a security consideration I believe the intent would be satisfied: 

  Implementations MUST support algorithm agility.

spt

[email protected] wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of 
the IETF.


        Title           : A Profile for Algorithms and Key Sizes for use in the 
Resource Public Key Infrastructure
        Author(s)       : G. Huston
        Filename        : draft-ietf-sidr-rpki-algs-03.txt
        Pages           : 6
        Date            : 2010-10-08

This document specifies the algorithms, algorithms' parameters,
asymmetric key formats, asymmetric key size and signature format for
the Resource Public Key Infrastructure subscribers that generate
digital signatures on certificates, Certificate Revocation Lists, and
signed objects as well as for the Relying Parties (RPs) that verify
these digital signatures.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-rpki-algs-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.


------------------------------------------------------------------------

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to