ietf-openpgp
[Top] [All Lists]

Re: ECC in OpenPGP proposal

2008-02-29 16:05:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, so Jon argues that the market forces will push a full set of  
profiles, regardless of the damage done to security.

That's not at all what I argue, and I'm miffed at characterizing it  
that way.

If I am arguing anything it is that choices have consequences.

I have *observed* that if we don't do ECC at all, then people who want  
ECC have to use some other protocol. We seem to be in rough consensus  
that that is a bad thing.

I have *observed* that if we do only the strong profile, then we cut  
out smart cards and bounded devices.

I have *observed* that if we don't do the middle profile (which I have  
no personal love for), then we expose ourselves to missing out on  
something because of good reasons that we do not understand.

The consequence of these three observations is that if we push to  
minimalism, we run the risk of missing the needs of the end users.  
That could mean that we've wasted our time.

I have also *observed* that any labeling this as MAY, SHOULD, or MUST  
is mostly an illusion. ECC is an option. Options within options is  
really not possible. I support minimalism, as well as guidance, but  
there are also consequences.

It would be bad for OpenPGP to have a standard that could not be  
implemented on light bulbs (I used to say cell phones, but they're now  
400MHz devices), forcing the light bulb people to use something else.  
It would be bad for OpenPGP to lose another potential market because  
we took out something we're not happy with. (I am not happy with 192- 
bit security systems, as I've said. I'm also a realist.)

I worry a lot about what I call architectural arrogance. That  
arrogance comes from presuming that because we're smart people, we are  
therefore the smartest people, and to disagree is to be wrong. I agree  
with you that all things being equal, 256-bit security is better than  
128-bit security. I think that all things being equal, that's the way  
to go. However, engineering is all about tradeoffs in the real world,  
and in the real world all things are seldom equal.

A statement that says, "well, you can do P-256, but only if you do  
P-521, too" (which is an expression in English of P-512=MUST,  
P-256=MAY) is awfully close to architectural arrogance. In symmetric  
crypto, we've slid to 256-bit security because it has a relatively  
minimal incremental cost. We need to understand that that cost-benefit  
win does not imply that AES-128 is "damaged" in its security.

In the absence of a real world, I think taking a hard stand (256-bit  
or bust) is virtuous. In the presence of the real world I live in, a  
concession about 128-bit crypto is necessary. I don't like the fact  
that in the real world people whom I want to use OpenPGP live in, a  
concession about 192-bit is necessary.

One of my co-workers has a statement that she sometimes says. She  
says, "Do you want to be right, or do you want to be effective?" At  
the end of the day, I want to be effective.

So therefore, what I am arguing is that the *consequences* of purity  
that I agree with is an outcome that would be ineffective.

        Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFHyIkdsTedWZOD3gYRAi3PAKC/LaDXxIhsG7j6Ps5XlO0otZaXYACgp9Ty
IMVCcWhCf7tFQRJlarqD7Pk=
=ZLnE
-----END PGP SIGNATURE-----

<Prev in Thread] Current Thread [Next in Thread>