I noted the call to move to 2048... ...but I will comment on the 4096 question... On 9/06/2011 2:00 p.m., Jay Daley wrote:
After all 4096 is even more secure, so why not use that?
"We're not sure why New Zealand chooses quite such strong encryption on their DNS system, but it does slow your computer down, meaning you're likely to need a faster computer to get a great experience from their shopping sites... or you could use ours, which offer the same level of protection as used around the rest of the world." As with 1280, 4096 would be putting us out of step with the rest of the world.
Trust is often as much about perception as reality. I agree, but in this case the perception issue is going to be between DNSSEC protected domains and domains not protected by DNSSEC, not key lengths. I'm not sure I agree with that.
We know that from the precedent established with X.509 certs where people have no idea about cypher strength and key-length downgrades despite this being much more of a security threat than protection of the DNS data. Yes, I do agree that an SSL cert may as well be 8bit for all the average consumer cares, knows or understands. However, how do you spot what level the cert is in your browser?
If it's got a little padlock it's secure - right! With a url it's easy... www.shopping.co.NZ v's www.shopping.com.AU. Once the perception is out that there .nz is less secure than .WhatEver then it just becomes easy as to spot... "Don't shop in New Zealand". D -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699