Zitat von Martijn Brinkers <[email protected]>:
On 08/06/2012 02:44 PM, Phil Daws wrote:Hello all,looking for a bit of advice as searches have not really reaped much. When we set up Djigzo's CA what would be the most client inter-operable settings to use; 2048 bits with SHA512 ? I have been led to believe that there have been issues on BlackBerrys, quite some time ago, when using 4096 bits and SHA512.I think the current best practice is to use 4096 with sha256 for the root and intermediate(s) and 2048 with sha256 for end user certificates.
It might also depend on the target. For e-Mail it should be ok as long as most of the users has powerful devices (PC alike). With handhelds as primary target it could already matter if the keysize is "too big" as the time needed is non linear (http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml). On the other hand e-mail is not a that sensitiv for some delay in processing like for example https, so for advanced or long term security it is reasonable to go for 4096/2048bits. A quick glance on the root CAs issued after ~2005 in our Gateway keystore lead to around one-third with 4096 and two-third with 2048 and some minority still at 1024 bits RSA. So if the somewhat bigger CAs use 4096 bits it should be no problem from interoperable point of view.
So +1 for Martijn's suggestion Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
