[Openid-specs-fapi] Key length guidance
Nat Sakimura
nat at sakimura.org
Wed Oct 29 19:23:48 UTC 2025
Dear FAPI WG
One of the comments I got from ISO for FAPI1 is that the key length
requirements would be shifting, and thus it should refer to an external
document that is more agile to adopt.
For example, we say in 5.2.2.0 of FAPI 1 Part 1
5. shall require and use a key of size 2048 bits or larger for RSA
algorithms;
6. shall require and use a key of size 160 bits or larger for elliptic
curve algorithms;
BCP 195 does not give guidance for those key lengths.
NIST SP 800-57 Part 1: Recommendation for Key Management (General) provides
some.
BSI TR-02102-1 also provides it.
Please see
https://bitbucket.org/openid/fapi/issues/790/fapi1-iso-iec-25791-1-review-comments
for more details.
Any guidance would be appreciated.
Best regards,
Nat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20251029/2b60c616/attachment.htm>
More information about the Openid-specs-fapi
mailing list