RE: S/MIME v3.2 IDs key size text (resend, no signature)

["Turner, Sean P." <turners@xxxxxxxx>]

>-----Original Message-----
>From: owner-ietf-smime@xxxxxxxxxxxx 
>[mailto:owner-ietf-smime@xxxxxxxxxxxx] On Behalf Of Paul Hoffman
>Sent: Monday, May 12, 2008 12:49 PM
>To: Tony Capel
>Cc: ietf-smime@xxxxxxx
>Subject: RE: S/MIME v3.2 IDs key size text (resend, no signature)
>
>
>At 12:14 PM -0400 5/12/08, Tony Capel wrote:
>>Sean et al:
>>
>>How about:
>>
>>    0 <  key size < 512     : MAY     but refer to security 
>considerations
>>section
>>  512 <= key size < 1024    : SHOULD- but refer to security 
>considerations
>>section
>>1024 <= key size <= 2048   : MUST
>>2048 <  key size           : MAY     but refer to security 
>considerations
>>section
>
>Could you add verbs to your table? MAY what? SHOULD- what?

Not sure what Tony was thinking but I suggested that this go in 3850bis so
it would have been for receiving agents.

>>"A denial of service opportunity may exploitable by attackers who 
>>provide an excessively large key, or a key selected to require 
>>excessive cryptographic processing.  One mitigation approach would 
>>require that the corresponding public key certificate be 
>validated to a 
>>trusted root [trust anchor] prior to use, thus ensuring that only 
>>trusted public keys are used.  However, some implementations 
>may choose 
>>to perform signature verification (or data encryption) in 
>parallel with 
>>certificate validation, or even if certificate validation fails.  In 
>>such cases, measures should be included to limit the impact, for 
>>example by limiting cryptographic processing time or requiring 
>>certificate validation prior to the use of large keys."
>
>Regardless of small key size issue, I think text like this 
>would be a good addition to the Security Considerations 
>section of many documents.

I had something similar in the -02 version, but I'll swap out that text for
this text.

spt