At 4:56 PM +1200 5/3/08, Peter Gutmann wrote:
How does this reconcile them? Do we get to choose which ones we want?
You follow the MUST, not the "if you care about doing things flexibly, you also do this". This is the same as for almost any IETF standard.
>>(The "or shorter" attached to the "1024" is also going to prove problematicwith FIPS-evaluated crypto implementations, since you can't do < 1024 bits for those).That's just plain wrong. Nothing in the FIPS evaluation says that you cannot verify signatures shorter than what they require.I didn't say you couldn't verify sigs, I said you couldn't get the code to do that evaluated because the minimum they'll accept is 1024 bits. In other words you'd be using non-evaluated code (or code run in a non-evaluated mode) to do the sig. verification.
I admit that I haven't gone through a FIPS evaluation myself, but what you say seems wrong. .I assume that verifying code does not have different code paths for different sizes of keys being verified, so the evaluated code works for the mandated sizes and others. Even if you structured your code along key sizes, the "wrong" sizes would be non-evaluated, and the "right" sizes would be evaluated.
If someone from NIST or from a test lab wants to chime in here, that would be grand.