Re: ECC in OpenPGP proposal
Jon Callas wrote:
I agree that there is virtue in limiting choice. However, there are a
lot of people who want ECC, particularly in the context of Suite B. In
the not-to-distant future, this will be a requirement.
For the record, I agree there should be a Suite B ! It is
an economic reality, a real-world requirement. When
NIST/NSA speaks, that's it.
The short summary of my argument is that there should one
and only one MUST profile for Suite B, and that it should be
the strong one / Top Secret.
Other lesser profiles could be MAY, or if you let the
agility nazis have their way, absent, as they have no
economic use and lots and lots of costs to users.
(The reason I say that 'Secret' could be a MAY is that there
are complicated blah blahs in the government/security world
that sometimes force suppliers to provide several modes,
against good security practice.)
(I'm aware of the "mobile" argument that was raised in the
previous post. I would say that the mobile boys propose a
"mobile" profile. That's because mobile has other aspects
that aren't necessarily considered in Suite B.)
There are also other changes we will need to do on the horizon. For
example, someday there will be an AHS hash algorithm set from NIST. Do
we not to that, either? The argument you give is to have no choices.
Yes. AHS is years away, if AES was any guide. AHS won't
improve overall security markedly over SHA256-512 family.
NIST/NSA will also have to update Suite B when AHS comes out.
When all that dust settles, then is the time to reconsider
it. I would plan on Suite B (one profile) now and know that
in 5 or 7 years we will need to do a Suite B-bis.
For the people who want more, is to use S/MIME? If so, and if that's
the decision of the working group -- well, I disagree, but rough
consensus is rough consensus. My company does both OpenPGP and S/MIME.
If the answer to people who want Suite B is that we support it with S/
MIME, that's fine. It is also a huge disappointment, because I would
like to satisfy people's ECC and Suite B needs with OpenPGP, but we
can always migrate people to S/MIME who need that.
I think there should be a Suite B, in OpenPGP.
And, to forestall the outrage, I fully expect to not get
consensus on my plea to reduce agility :) We waited for 10
years to get the current OpenPGP draft, so we can wait
another 10 years to find out why it took 10 years...