Per-Entity Metadata Working Group

[Ian Young <>]

> On 4 Aug 2016, at 07:22, Thomas Lenggenhager 
> <>
>  wrote:
> 
> If I remember correctly from what I once learned in a cryptography class: 
> The more signed material you produce with a key the easier it gets to 
> attack it.

Historically, there have many cryptosystems designed which were vulnerable to 
known plaintext attacks. The most famous was probably Enigma. Modern systems 
tend to be designed to be resistant. I don't believe there is any known 
plaintext attack for RSA, in particular; factoring the modulus is still the 
bar to beat.

> MDQ with single entity signing would heavily increase the number of signed 
> documents publicly accessible. Do we therefore need to shorten the usage 
> period of the metadata signing key?

If there *was* a potential for a chosen plaintext attack -- and I don't 
believe that's actually a concern -- it is worth ballparking the amount of 
material generated against other common uses of RSA.

We're talking here about a few thousand signatures per day. 10K per day is 
around 100 million in 30 years (which is the period over which we'd have real 
concerns about factoring a 2048-bit modulus anyway).

By some accounts, google.com gets 3.5 *billion* queries *every single day*. 
As of a couple of days ago, when they turned on HSTS, all of those go through 
TLS. They won't all result in a private key operation, because of connection 
cacheing, but my point is that in terms of increased volume we're still 
talking about a drop in the ocean.

> Who knows more about this topic?

Actual academic cryptographers, of which I am not one.

    -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature