On Mon, 23 Mar 1998, Jon Callas wrote:
The question came up in the last stream of what happens if 3DES gets
broken. The answer is that we're in trouble. Any protocol that has a single
MUST algorithm has a single point of failure. Realistically, if that does
happen, on this list (or some other) there will be a flurry of discussion,
and then we'll pick one to be the new MUST algorithm. This would be
painful, but it wouldn't be much more painful than excising out CAST5 or
IDEA. Probably less than IDEA.
The problem is a conflict that some faction wants to minimize the MUST
list (Either for implementation reasons, e.g. PDAs, or because they don't
like or trust BlowFish, CAST5, or SAFER/SK128 - all I think are
unencumbered).
If we have a single MUST, then that singleton is the default and has the
problems you mention. If we add a second MUST, the conventional cipher
code innards double in size.
But I would also note that the same thing happens with RSA v.s. DH. Or
even the various hash algorithms - MD5 has been superceeded by SHA1 - but
isn't that vulnerable too? Part of the idea is to move ahead so that what
gets implemented by this spec will superceed both pgp 2.6.2 and pgp 5.x.
leaving a single "standard" with a universal MUST subset.
At the same time, where capable, every implementation should include the
SHOULDs to avoid the above problems. SHOULD is not simply another way of
saying "MAY".
Though I still have problems with defaulting to 3DES if there is no
preferred cipher listed. I should be able to encrypt using any SHOULD
algorithm and get a reply stating "I can't decrypt it, please use X" if
they published the key without a preference. If there *is* a prefered
cipher, and it is 3DES, I must use 3DES. If there is a list not including
3DES, but I don't implement any of them, I should use 3DES.
One note is that when generating the key for publication, what if I start
on my desktop with a full implementation, but then move to my PDA which
only has 3DES - I need a key update cert. Or I should be asked what the
preferred cipher set is when I generate the key with a note that if I plan
to move the key to other implementations, I should use only 3DES as the
preferred cipher.
--- reply to tzeruch - at - ceddec - dot - com ---