ietf-openpgp
[Top] [All Lists]

Re: ECC in OpenPGP proposal

2008-02-29 09:45:44

On 2/29/08, Ian G <iang(_at_)systemics(_dot_)com> wrote:
David Crick wrote:

 > How hard-coded do we want/need to make the[se] cipher-hash-curve
 > combinations?  For Suite B compatibility/marketability we need
 > them "fixed" (especially in light of pointing out the higher
 > relative MAY cipher size) and the hash fixed as SHA2 (as opposed
 > to, say, a hypothetical Whirlpool; SHA3 could be added later).

Me:  hardcoded.  Nobody ever showed that SHA wasn't good
 enough for the job and NIST/NSA is happy with it, until 2012.
...
 If the Europeans want to propose a EuroSuite, let them.
 Let's not jump on the bandwagon and make the profile
 all-things-for-all-humanity.

I'm 1000% happy with fixing the curve-hash sizes *and* only SHA2.

*I* would also be 100% happy fixing the cipher sizes with only AES.

*However*, are we ( <waits for other people to pipe up> ) willing to
insist that for OpenPGP ECC you *absolutely* MUST use AES *and*
at these specific sizes for the corresponding algorithm sets below?

MAY implement ECC
   o MUST implement   AES128-SHA256-256ECC
   o SHOULD implement AES256-SHA512-521ECC
   o MAY implement    AES256-SHA384-384ECC


Aside from the side-effect of 4880 (and predecessor's) 3DES MUST,
this would be the first time that we are mandating specific cipher
usage.  We're not saying "SHOULD" (and WARN the user if they do
otherwise), we're saying MUST.  (A watered-down compromise would
be to say "for Suite B compliance, AES MUST be used," just as we've
said for DSS compliance SHA must be used [and at certain sizes]).

<Prev in Thread] Current Thread [Next in Thread>