Lutz Donnerhacke wrote:
* Werner Koch wrote:
In the light of the recent GnuPG bug, where I accidently used the same
small sized k for signature creation as it is used for encrypting, I'd
very much like to drop the ElGamal signing ability all together from
OpenPGP. AFAIK, GnuPG is the only implementation with support for
these keys and by now the about 1100 known primary and subkeys should
have been revoked. Thus there won't be any interoperability problem
anymore.
I'd like to oppose. ElGamal signatures are still useful, despite there is a
charge of signatures with some algorithmic errors. I'd prefer a paragraph
describing the problem and advicing to not use keys of this charge.
Thinking about the case for removing ElGamal from the
standard, here are the pluses that I see:
a. The purpose of the standard is to document the greater
good set of common and useful algorithms to which most
implementation should try and implement.
If there are O(1000) users of the ElGamal signature
algorithm, I'd say at first glance this does not qualify
as a major usage.
Also, if GnuPG is the *only* implementation of this,
then that would seem to go against the spirit of the
"two implementations" rule. (Although, not breached
in practice, as it is only a small part, I would guess.)
b. Removing it from the standard would only mean that other
implementations could then totally ignore it, instead of
choosing to ignore it. Also, removing it from the standard
does not mean it can't be used - it just means that it is
then a private algorithm. If it later on proves to be
of great use and other implementations adopt it, it can
always be added back into a future version, or written
into a informational draft.
c. Some change has to be made, because there is a bug. So
it might simply be a balance between removing it - easy? -
and writing in the bug-fixed-text - not so easy?
d. Less is much better. OpenPGP is already way too big and
complex, which slows its implementation and thus slows
its use, and its long term success.
Against the removal:
A. This is supposed to be very late in the game for the
production of the standard. There should be very minor
changes, if any.
On balance, there seems to be a good case for removing it
entirely!
( I speak here without any knowledge of the technical aspects
of the algorithm, of course! Standard Dilbert comments
apply... )
One thing I am not sure of - what is it useful for? In the
sense, does it do something that is highly prized and wanted?
That would perhaps be key in determining if removal is to
be warranted at this late stage...
iang