root zone signing and key lengths/lifetimes

["Scott Rose" <scottr@antd.nist.gov>]

Related to the Johan Iterim Root Signing draft topic - I was doing some
further research on key
management and I was wondering why the key rollover scheme in the draft was
chosen:  why so often?

There has been some previous work on optimal/practical key lengths.  It goes
from the extreme hardcore to the general rule-of-thumb.  Arjen Lenstra and
Eric Verheul has a paper ("Selecting Cryptographic Key Sizes" in the Journal
of Cryptography Vol14, number 4 November 2001) that goes into great detail
on calculating the necessary key lengths for a given cryptosystem based on
how long the secret must be maintained, key use, and possible attack
strength (possible computing power available).

A more practical approach is to follow RSA Security's suggested key lengths.
Every year, RSA sets the limit of what they believe a "reasonable" key
length should be (pointer):
http://www.rsasecurity.com/rsalabs/faq/3-1-5.html

They recommend a min length of 2048 for RSA keys used by Certificate
Authorities.  These keys are usually rolled over every 2 years.  Since a
root key signing key will be very rarely used (only sign the root zone key),
it will be used less often than a CA signing key.  Any root zone keys could
be rolled over more frequently, and shorter.  And that there should be
procedures in place to adapt to new cryptanalysis advances.

The DNS has a similar "crypto profile" as a certificate scheme (i.e.. known
plaintext, public key, etc).  So looking at the key management schemes
sounds reasonable to me, but I'm not a hardcore security guy.

Scott