* Maintaining algorithm registries takes time and effort
* Modern best practice for algorithms rejects the idea that more algorithms is
'better'.
* The security of the system is determined by the weakest algorithm an
attacker can persuade you to use,
* One Mandatory to implement plus a reserve is generally emerging as best
* Support for vanity crypto is an unfortunate necessity.
* ASN.1 OIDs are kind of obnoxious
* Suites don't work
* Most OpenPGP folk would like to use short identifiers
For many years I have wanted a way to move discussion of vanity crypto out of
the IETF, etc. If we touch a spec, the vendor can pretend that we endorse it.
So what I propose is a two level scheme:
Mandatory and Recommended algorithms are registered in a short identifier
registry.
For everything else there is a reserved 'escape code' that states the algorithm
is specified by OID.
OIDs do get a little large sometimes. But they do have the advantage that
nobody can claim that they have IETF endorsement. That is not true of any
scheme we could devise ourselves.
This approach means that there is a real difference between being one of the
supported algorithms and the recommended algorithm.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp