Re: [TLS] New Version Notification for draft-sheffer-tls-bcp-00.txt

[james hughes <hughejp@mac.com>]

On Sep 9, 2013, at 7:30 PM, Michael Ströder <michael at stroeder.com> wrote:
> 
> > Peter Gutmann wrote:
> 
>> > Do you have numbers about the relative and absolute performance impact?
>> > Personally I don't see performance problems but I can't prove my position with
>> > numbers.
> 
> MBA-2:tmp synp$ openssl speed dsa1024 dsa2048
[…]
>                  sign    verify    sign/s verify/s
> dsa 1024 bits 0.000445s 0.000515s   2247.6   1941.8
> dsa 2048 bits 0.001416s 0.001733s    706.4    577.2

We are arguing about a key exchange that goes from ~1ms to ~3ms (where the cracking goes from "yes" to "no"). Yes, this is more but this is absolutely not a problem for PCs or even phones or tablets especially in the light of session keep alive and other techniques that allow a key exchange to last a while. 

Is the complaint that the server load is too high? 

Lastly, going a partial step seems strange also. Why do we what to put ourselves through this again so soon? The French government suggests 2048 now (for both RSA and DHE), and will only last 6 years. From 
	http://www.ssi.gouv.fr/IMG/pdf/RGS_B_1.pdf

> La taille minimale du module est de 2048 bits, pour une utilisation ne devant pas depasser lannee 2020.
The minimum size of the modulus is 2048 bits for use not to exceed 2020.

> Pour une utilisation au-dela de 2020, la taille minimale du module est de 4096 bits
For use beyond a 2020, the minimum module size is 4096 bits


Pardon the bad cut/paste and google translate, but I believe you get the point.