At 03:18 AM 9/25/2002 +1200, Peter Gutmann wrote:
Rodney Thayer <rodney(_at_)tillerman(_dot_)to> writes:
>Why do we want ECC in OpenPGP?
Because it already contains every algorithm anyone could think of anyway,
few more for implementors to ignore wouldn't matter?
Well as I see it there's the "lifeboat" principle. If someone, somewhere,
publishes a 3-line perl script that breaks 2048 bit RSA, we'd like to have
a second public key algorithm in the protocol spec so we could switch over.
This has two problems:
-- the powers that be in the IETF tend to spit in your eye when you propose
this class of logic. Been there, tried that. They assume RSA is immortal.
-- we alread have DSA for that. (Well if we want to claim RSA and DSA are
structurally related we don't but that's not the question at hand)
The second thing we're doing is violating the "it should be implementable"
principle. These RFC's are supposed to be buildable by normal mortals.
Adding 80,000 bells and whistles is stupid -- we get specs that are
hard to implement, hard to interoperate, and hard to read (for things
like security flaws).
So, I come back to my question -- why do we want ECC? If there isn't
a requirement it fulfills it shouldn't be in the standard -- it just
takes up space and causes problems.