Re: ECC in OpenPGP proposal
2008-02-28 08:08:37
Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
The short summary of my argument is that there should one and only
one MUST profile for Suite B, and that it should be the strong one /
Top Secret.
For a number of reasons, ECC/Suite B is going to be a MAY. You will be
permitted to make an OpenPGP application that doesn't do it.
Hmmm... you raise an interesting point. I had thought that
this was going to be a new document, and as it is not
referred to in the existing core RFC, then ECC/Suite B was
going to be a MAY by definition.
Within that new (MAY) document, there would be several
choices for MUST, SHOULD, MAY, etc.
Or so I thought ... but I'm not fully aware of how these
things interact.
Like many things coming out of NIST, they come in three flavors, 128-
bit security, 192-bit, and 256-bit. I have no objection myself to
canning the 192-bit ones. I'm of the opinion that if you need more
than 128, you should go to 256. In many cases, there isn't even a
performance win on the 192-bit system.
However, there are very good arguments for doing 192-bit as well, and
one of those arguments is that it may be easier to do the 192-bit
versions than to explain why you didn't.
In the sense that it exists, and people think it has to
exist, yes. "why go against the flow, it's only security
after all..." Yes, I agree. In that market, that is the
pressure you will get.
I don't see how we can simplify past dropping 192.
OK, if you are happy to carry on this discussion ... what
are the reasons for including the 128-bit profile?
(I know I'm exceeding my noise quota here .. but I hate the
thought that we are happily reducing overall security by
providing users too many options for them to achieve
compatibility with each other.)
iang
|
|