Werner Koch wrote:
On Tue, 6 Nov 2007 16:18, iang(_at_)systemics(_dot_)com said:
supposing that we do proceed to do a next generation, are we planning
on a "big" change over a 10 year cycle, or are we planning on a
"small" change with only modest fix-ups?
We should sync us with the NIST hash competition so that a new version
would be due not before 4 years from now.
Although SHA-3 will be a drop-in replacement for SHA-2, my understanding
is that there will be suggestions on new usage modes like randomization
of hashing. That requires substantial changes to OpenPGP.
Yes, this is where I was heading with my question on big
cycle versus small. When OpenPGP started as a working
group, we knew X as a community about crypto. That X was
some large delta away from what PRZ and his large team of
helpers know 5-10 years earlier. Call their knowledge V.
Now, 10 years later again, we know X plus another big delta,
call it Y. The whole issue of HMACs is post-OpenPGP's
inception, and block encryption algorithm design process has
been radicalised by the AES competition. Fixing the message
digest "weakness" actually has more ramifications than just
changing the current one. Threat models and security models
are now informed by actual heavy experience.
Etc etc. I wonder if the answer is that we should bite the
bullet and say: let's plan on another 10 year cycle. That
is, let's spend an entire year just discussing what the next
generation OpenPGP should look like.
Alternatively, we might fall in the trap of trying to
squeeze too many short term fixes in and still take a decade.
iang