[Cryptech Core] peering into the dusk
Leif Johansson
leifj at sunet.se
Sat Sep 27 12:54:41 UTC 2014
> 27 sep 2014 kl. 12:50 skrev "Linus Nordberg" <linus at nordberg.se>:
>
> Randy Bush <randy at psg.com> wrote
> Fri, 26 Sep 2014 09:06:28 +0900:
>
> | if this makes sense, perhaps jakob will lead the dnssec requirements
> | discussion, and rob rpki and bgpsec. and i presume linus will chime
> | in with tor, which is good.
>
> For signing consensuses (once per hour) we'll need RSA (with at least
> 2048-bit keys) and SHA-1 for now. I'm going to try to figure out for how
> long this will be enough and when Ed25519 + SHA-512 is what we want,
> too. I'll follow up on tech at .
>
>
> Another early adopter I'd like to ask you about your thoughts on is
> signing in Certificate Transparency (RFC6962), i.e. signing of STH's and
> SCT's. The spec says RSA (2048-bit or longer keys) with SHA-256 or ECDSA
> with NIST P-256. If we want to serve Google, ECDSA is needed.
>
> Signing of STH's typically happens once per hour or less. I estimate
> signing of SCT's to happen "some hundreds of times per hour" and that
> "once per second" at peak is going to be just fine.
>
> Thoughts on CT as an early case?
I like it - we are less constrained by p11 for that case since we control the stack (i.e Linus is coding in erlang and there is no p11 anyway)
> _______________________________________________
> Core mailing list
> Core at cryptech.is
> https://lists.cryptech.is/listinfo/core
More information about the Core
mailing list