[Top] [All Lists]

Re: ECC in OpenPGP proposal

2008-02-28 08:08:37

Jon Callas wrote:

The short summary of my argument is that there should one and only one MUST profile for Suite B, and that it should be the strong one / Top Secret.

For a number of reasons, ECC/Suite B is going to be a MAY. You will be permitted to make an OpenPGP application that doesn't do it.

Hmmm... you raise an interesting point. I had thought that this was going to be a new document, and as it is not referred to in the existing core RFC, then ECC/Suite B was going to be a MAY by definition.

Within that new (MAY) document, there would be several choices for MUST, SHOULD, MAY, etc.

Or so I thought ... but I'm not fully aware of how these things interact.

Like many things coming out of NIST, they come in three flavors, 128- bit security, 192-bit, and 256-bit. I have no objection myself to canning the 192-bit ones. I'm of the opinion that if you need more than 128, you should go to 256. In many cases, there isn't even a performance win on the 192-bit system.

However, there are very good arguments for doing 192-bit as well, and one of those arguments is that it may be easier to do the 192-bit versions than to explain why you didn't.

In the sense that it exists, and people think it has to exist, yes. "why go against the flow, it's only security after all..." Yes, I agree. In that market, that is the pressure you will get.

I don't see how we can simplify past dropping 192.

OK, if you are happy to carry on this discussion ... what are the reasons for including the 128-bit profile?

(I know I'm exceeding my noise quota here .. but I hate the thought that we are happily reducing overall security by providing users too many options for them to achieve compatibility with each other.)