[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Configuring the reverse proxy to support large keys - HT
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] Configuring the reverse proxy to support large keys - HTTP error 413 |
|
Date: |
Mon, 28 Apr 2014 14:16:30 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0 |
On 04/28/2014 02:07 PM, Phil Pennock wrote:
> For now, if it's taken 15 years for someone keen on key signings to
> reach a 1MB limit, then I think that 8MB, covering 120 years of
> activity at such a rate, is likely to be enough for most normal mortal
> human beings. It's certainly enough to set as a limit for now,
I agree with Phil that this number is a reasonable limit for now, but i
don't agree with his back-of-the-envelope math.
in particular, many of the pre-existing OpenPGP certifications on an
older key like weasel's were certifications made by 1024-bit DSA keys.
I suspect the certifications made on weasel's new key will likely be
made by 4096-bit RSA keys. DSA signatures are (much) smaller than RSA
signatures even when of the same key length, and RSA signatures
themselves scale with keysize. So i think 8MiB is likely to be fine for
today, and we may need to update it sooner rather than later.
(hopefully in 5 years from now we will all have started a move to
stronger/shorter elliptic curve-based keys, but that transition is
likely to take a while)
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature