Closed asitplus-pteufl closed 3 years ago
jschlyter
commented
3 years ago The only reason is to have a last resort backup algorithm in case ES256 is considered broken. This is highly improbable, but if it would happen anyway having PS256 with RSA 2048 puts us in a lot better situation than having nothing IMHO.
asitplus-pteufl
commented
3 years ago right, that's reasonable, however with RSA we would need to consider the "problem" of key length recommendations from 2023 on, RSA 3072 would be better, otherwise we would need to have a new version from 2023 on. but, then the size issue needs to be considered again. unfortunately, there is not a clear-best-choice-option here.
jschlyter
commented
3 years ago Acceptable key lengths also depends on the key and signature lifetimes - a 2048-bit RSA key that will be used to sign data for a maximum of 14 days and that will be rotated every 7 days (with a 7 day post-publish duration) is most probably low risk, even in a couple of years. The primary and backup algorithms need to be continuously re-evaluated as time goes by.
asitplus-pteufl
commented
3 years ago agree in terms of security, but disagree in terms of policy, if recommendations change there might be policies in member states that require the enforcement of new guidelines. especially, in this case where we know that the recommendation is going to change not too far in the future. would be necessary to have the input from others on this.
jschlyter
commented
3 years ago I'm closing this issue as we don't have any good alternatives at this point.
I see two problems with RSA:
What is the reason for putting it back into into the spec?