diff --git a/query.go b/query.go
index 7f77d52..c4d36aa 100644
--- a/query.go
+++ b/query.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
+	"fmt"
 	"net"
 	"strings"
 )
@@ -88,6 +89,11 @@ func parsePublicKey(s string) (*queryResult, error) {
 		if !ok {
 			return nil, permFailError("key syntax error: not an RSA public key")
 		}
+		// RFC 8301 section 3.2: verifiers MUST NOT consider signatures using
+		// RSA keys of less than 1024 bits as valid signatures.
+		if rsaPub.Size() * 8 < 1024 {
+			return nil, permFailError(fmt.Sprintf("key is too short: want 1024 bits, has %v bits", rsaPub.Size() * 8))
+		}
 		res.Verifier = &rsaVerifier{rsaPub}
 		res.KeyAlgo = "rsa"
 	default: