Interestingly, it looks like various pieces of software are starting to enforce minimum sizes on keys even if it breaks the specification. There was a story in Wired on 24th October [1] about a researcher realising that the keys being used to perform DKIM signing of email were in some cases laughably small. Google, for example, were using 512 bits, which makes forging mail from them trivial. I've just upgraded my DKIM installation to the latest version of OpenDKIM, and I see that it's now logging the error "verification error: signing key too small" against some mail. A glance at the source code and the ChangeLog reveals that the feature ("Add library option DKIM_OPTS_MINKEYBITS...default is 1024.") was added on the 24th of October. Similarly, the openssh suite is now enforcing minimum sizes on host keys. I have an old Cisco srw2008 managed switch, which modern version of ssh now refuse to talk to. ians-macbook-air:Downloads igb$ ssh srw2008.home.batten.eu.org
ssh_rsa_verify: RSA modulus too small: 512 key_verify failed for server_host_key RFC 4253 doesn't mandate key sizes, but the ssh client has been modified (some years ago, it would appear --- the oldest version I have is on Solaris 10 circa 2005, and that shows the same behaviour) to enforce minimum key sizes on servers. As I can't fix the firmware on an old switch, I've had to compile up my own version of ssh which bypasses this check! [1] http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
ssh_rsa_verify: RSA modulus too small: 512 key_verify failed for server_host_key RFC 4253 doesn't mandate key sizes, but the ssh client has been modified (some years ago, it would appear --- the oldest version I have is on Solaris 10 circa 2005, and that shows the same behaviour) to enforce minimum key sizes on servers. As I can't fix the firmware on an old switch, I've had to compile up my own version of ssh which bypasses this check! [1] http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/