At 04:48 PM 3/8/99 +0000, Simpson, Sam wrote:
|It has previously been mentioned that Twofish would be added to
|PGP before completion of the AES process. I think everyone would
|agree that the move to a 128-bit block, 128/192/256-bit key
|cipher is a Good Thing, but the point of this message is to ask
|"why the choice of Twofish?"
That's an over-simplification of what has happened.
Two groups of developers, the NAI/PGP group and the GNU Privacy Guard
group, have each said that they want to put Twofish into their
implementations. If there was only one group who wanted to do this, the
proper thing for them to do is use the experimental/private range. (By the
bye, this was my opinion at NAI.) However, when two groups want to do the
same thing, and they both come to the working group, the working group
should do something.
We exist as a working group to foster interoperability between
implementors. If two groups of implementors want Twofish, we ought to
oblige them. Or at least consider it.
As part of that consideration, one thing to remember is that in OpenPGP, we
spcifically designed the protocol so that the receiver decides which
algorithms they accept. When we did that, we didn't have all the new AES
algorithms as examples of tempting, but controversial algorithms. I pushed
the point myself with the ROT-N algorithm. OpenPGP is safe from
controversial algorithms because of the algorithm negotiation procedure. If
you don't want to use Twofish, you don't have to. It's that simple.
|Even worse there was the comment (I'm not going to publish e-mail
|addresses to save embarrassment!): "I suggest *replacing*
|Blowfish with Twofish. If you trust one, why not the other?"
Well, that suggestion didn't make the consensus. Thanks for agreeing with
consensus.
By the bye, thanks for your observations. They're quite lucid, and provide
a good analysis of why an individual might not want to use Twofish.
However, it's still attractive enough of an algorithm to have some
groundswell behind it, and it's that support the working group responds to.
It is indeed possible that in a year we will deprecate the identifier.
(Heck, it's possible that in two weeks we'll deprecate it.) But it does
seem like a reasonable thing to permit, here in the early part of 1999. If
you disagree strongly, and believe that the consensus has gone the wrong
way, keep arguing! It's not too late to change people's minds. We're
listening.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 3965 Freedom Circle
Network Associates, Inc. Santa Clara, CA 95054
(408) 346-5860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)