I think we *also* want to add references to these two IETF BCPs:
RFC 3766 Determining Strengths For Public Keys Used For Exchanging
Symmetric Keys. H. Orman, P. Hoffman. April 2004. (Format: TXT=55939
bytes) (Also BCP0086) (Status: BEST CURRENT PRACTICE) (23 pages)
RFC 4086 Randomness Requirements for Security. D. Eastlake, 3rd, J.
Schiller, S. Crocker. June 2005. (Format: TXT=114321 bytes)
(Obsoletes RFC1750) (Also BCP0106) (Status: BEST CURRENT
PRACTICE) (48 pages)
They are both, by the way, well worth reading.
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
579 Park Place Saline, MI 48176
PO Box 221 Grand Marais, MI 49839
On Fri, Jan 30, 2009 at 9:39 PM, Randy Turner <rturner at amalfisystems.com> wrote:
>> Hi Brian,
> I think the IANA registry actually has the key length specified as part of
> the suite enumeration.
> Examples are:
> There are other suites that don't specify numeric key sizes, but in these
> cases, the algorithm itself
> (3DES for example) work with a specific key size that doesn't vary.
> In this case, we may be able to just specify that we're talking about a
> minimum suite, with a reference to RFC 5246 and
> the IANA registry itself.
>> On Jan 30, 2009, at 6:26 PM, Brian Smithson wrote:
>> I am still wondering how these two attributes can be used in practice. I
> know that we can uniquely identify cipher suites using the IANA
> registry, but is there an authoritative source to specify that one suite
> is "more minimum" than another? And if you consider different key
> lengths that might be acceptable for a given suite, then can we really
> say that suite X is more minimum than suite Y even if an HCD supports a
> relatively long key length for X but only supports a relatively short
> one for Y?
> Brian Smithson
> PM, Security Research
> PMP, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation