Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Nov 7, 2007, at 11:38 PM, Werner Koch wrote:
On Wed, 7 Nov 2007 20:20, jon(_at_)callas(_dot_)org said:
Here are some things I might put in a profile:
I agree with all of that except for:
* Use only RSA 4096 bit public keys
it is not a real problem for a modern desktop box but for small or
embedded devices it is not going to work. There are also no
smartycards
in the foreseeable future that will support such a key length. Before
settling on this we should investigate ECC based algorithms.
Then pick a different size. I picked 4096 because it's big and apt to
stay viable for the forseeable future. NIST's numbers say that 3072
is equivalent to a 128-bit key. On the other hand, I know there's
still a lot of smartcards and the like that are stuck at 2048. I
wouldn't go below 2048.
Again, violent agreement.
I would say that the core OpenPGP thrust should be to create
the profile for the biggest 800lb gorrilla market, which is
the Intel-based PC. It's been the big platform for the last
25 years, and will be for the foreseeable future. Which has
plenty of power to spare.
So picking RSA and 4096 sounds good as a pencilled-in number
for now. SHA-3 when it turns up. AES-256. Some new mode
that is to be chosen in future violent & agreeable debate.
Then, for the mobile guys, let them form a subgroup to
create the "mobile profile." It will be completely
different, and "weak" by the standards of the main group.
No problem, different model.
I am a great believer in one entire suite of algorithms
melded together as a cohesive whole. No agility within. So
I think the way forward is to pick a spot in the future, and
create a great combination for then.
And then stick to it. I say more on my singular view here:
https://financialcryptography.com/mt/archives/000983.html
http://iang.org/ssl/h1_the_one_true_cipher_suite.html
which reflects the good old days of pgp 2 :)
iang