Re: ECC in OpenPGP proposal

Jon Callas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> > The short summary of my argument is that there should one and only  
> > one MUST profile for Suite B, and that it should be the strong one /  
> > Top Secret.

> For a number of reasons, ECC/Suite B is going to be a MAY. You will be  
> permitted to make an OpenPGP application that doesn't do it.

Hmmm... you raise an interesting point.  I had thought that 
this was going to be a new document, and as it is not 
referred to in the existing core RFC, then ECC/Suite B was 
going to be a MAY by definition.
Within that new (MAY) document, there would be several 
choices for MUST, SHOULD, MAY, etc.
Or so I thought ... but I'm not fully aware of how these 
things interact.

> Like many things coming out of NIST, they come in three flavors, 128- 
> bit security, 192-bit, and 256-bit. I have no objection myself to  
> canning the 192-bit ones. I'm of the opinion that if you need more  
> than 128, you should go to 256. In many cases, there isn't even a  
> performance win on the 192-bit system.
> However, there are very good arguments for doing 192-bit as well, and  
> one of those arguments is that it may be easier to do the 192-bit  
> versions than to explain why you didn't.

In the sense that it exists, and people think it has to 
exist, yes.  "why go against the flow, it's only security 
after all..."  Yes, I agree.  In that market, that is the 
pressure you will get.

> I don't see how we can simplify past dropping 192.

OK, if you are happy to carry on this discussion ... what 
are the reasons for including the 128-bit profile?
(I know I'm exceeding my noise quota here .. but I hate the 
thought that we are happily reducing overall security by 
providing users too many options for them to achieve 
compatibility with each other.)
iang