----- Original Message ----- > From: "Till Maas" <opensource@xxxxxxxxx> > > Therefore I would like to propose a packaging guideline about which > minimum key size software in Fedora should generate by default. It seems > to me that requiring RSA 3072 key by default in Fedora is a good initial > compromise. I did not notice RSA keys with more than 4096 bits > regularly, therefore I am not sure whether using RSA 15360 keys by > default is a good idea. Yes, everybody agrees that 1024 bit RSA keys are too small for any long term usage. >From what I see, the disagreement between NISA, CA/B Forum and ENISA stems from the security margins they consider safe. If you compare NIST and ENISA standards at 128 bit security level, you'll see that both of them recommend 3072 bit RSA keys (and 256 bit ECDSA keys). NIST just considers 112 bit security (the level which 3DES provides) still good enough (up to year 2030), and that's why they consider 2048bit RSA keys to be OK. See Table 2 in NIST SP 800-57 and table 3.6 in ENISA report for comparison. using 15360 RSA keys be default is definitely not a good idea, not only they are very large and as such introduce big delays in TLS negotiation, but also signing or verifying such big signatures is very slow (think 0.5s for creation of a single signature on an 3GHz Core i7 and many seconds on a smartphone) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team http://wiki.brq.redhat.com/hkario Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
