Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
On 08/06/2012 02:44 PM, Phil Daws wrote:
Hello all,
looking for a bit of advice as searches have not really reaped
much. When we set up Djigzo's CA what would be the most client
inter-operable settings to use; 2048 bits with SHA512 ? I have been
led to believe that there have been issues on BlackBerrys, quite
some time ago, when using 4096 bits and SHA512.
I think the current best practice is to use 4096 with sha256 for the
root and intermediate(s) and 2048 with sha256 for end user certificates.
It might also depend on the target. For e-Mail it should be ok as long
as most of the users has powerful devices (PC alike). With handhelds
as primary target it could already matter if the keysize is "too big"
as the time needed is non linear
(
http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml).
On the other hand e-mail is not a that sensitiv for some delay in
processing like for example https, so for advanced or long term
security it is reasonable to go for 4096/2048bits. A quick glance on
the root CAs issued after ~2005 in our Gateway keystore lead to around
one-third with 4096 and two-third with 2048 and some minority still at
1024 bits RSA. So if the somewhat bigger CAs use 4096 bits it should
be no problem from interoperable point of view.
So +1 for Martijn's suggestion
Regards
Andreas