On 9/06/11 11:08 PM, Jay Daley wrote:
My final word on this is "1280 may well be enough from a security point of view, but there will be latent trust issues within the .nz target market if a key less then 2048 is chosen while other domains have adopted 2048". NZRS and the DNCL may want to consider this I am concerned that you will continue to claim "trust issues" unless you get your way fully on each item and the major "trust issues" we will then face are your claims of "trust issues" rather than any weaknesses in our processes. Can you assure me that will not be the case?
*sigh* There have been some well presented arguments for both 1280 and 2048 bit keys today. My initial query was to why 1280 keys had been chosen over 2048 bit keys, and that this seemed to be a departure from accepted practice. Both Sebastian and yourself have provided an enlightening discussion of the thought process behind this. You've even pulled in the BigGuns(tm). 1280 bit keys ARE less secure than 2048 bit keys, and as you point out, both of these are less secure than 4096 bit keys. So I believe that there are two issues here... 1) Are 1280 bit keys secure ENOUGH for a 1Y rolled KSK? 2) Is having a bit length smaller than the majority of other DNSSEC TLDs going to be a problem for people trusting .nz My answer to 1 is "I can't be sure, opinions vary, but NZRS has consulted experts in this field and they seem to suggest that it a viable option at present." My answer to 2 is "I believe that people will view the .nz DNSSEC implmentation as less secure if it has a smaller bit-length KSK. Regardless of whether they are right or wrong, that will be the public perception." What I do know for sure is, if you implement 2048 bit keys as you suggested in an earlier email, both of these questions are moot. Dean