-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK, so Jon argues that the market forces will push a full set of
profiles, regardless of the damage done to security.
That's not at all what I argue, and I'm miffed at characterizing it
that way.
If I am arguing anything it is that choices have consequences.
I have *observed* that if we don't do ECC at all, then people who want
ECC have to use some other protocol. We seem to be in rough consensus
that that is a bad thing.
I have *observed* that if we do only the strong profile, then we cut
out smart cards and bounded devices.
I have *observed* that if we don't do the middle profile (which I have
no personal love for), then we expose ourselves to missing out on
something because of good reasons that we do not understand.
The consequence of these three observations is that if we push to
minimalism, we run the risk of missing the needs of the end users.
That could mean that we've wasted our time.
I have also *observed* that any labeling this as MAY, SHOULD, or MUST
is mostly an illusion. ECC is an option. Options within options is
really not possible. I support minimalism, as well as guidance, but
there are also consequences.
It would be bad for OpenPGP to have a standard that could not be
implemented on light bulbs (I used to say cell phones, but they're now
400MHz devices), forcing the light bulb people to use something else.
It would be bad for OpenPGP to lose another potential market because
we took out something we're not happy with. (I am not happy with 192-
bit security systems, as I've said. I'm also a realist.)
I worry a lot about what I call architectural arrogance. That
arrogance comes from presuming that because we're smart people, we are
therefore the smartest people, and to disagree is to be wrong. I agree
with you that all things being equal, 256-bit security is better than
128-bit security. I think that all things being equal, that's the way
to go. However, engineering is all about tradeoffs in the real world,
and in the real world all things are seldom equal.
A statement that says, "well, you can do P-256, but only if you do
P-521, too" (which is an expression in English of P-512=MUST,
P-256=MAY) is awfully close to architectural arrogance. In symmetric
crypto, we've slid to 256-bit security because it has a relatively
minimal incremental cost. We need to understand that that cost-benefit
win does not imply that AES-128 is "damaged" in its security.
In the absence of a real world, I think taking a hard stand (256-bit
or bust) is virtuous. In the presence of the real world I live in, a
concession about 128-bit crypto is necessary. I don't like the fact
that in the real world people whom I want to use OpenPGP live in, a
concession about 192-bit is necessary.
One of my co-workers has a statement that she sometimes says. She
says, "Do you want to be right, or do you want to be effective?" At
the end of the day, I want to be effective.
So therefore, what I am arguing is that the *consequences* of purity
that I agree with is an outcome that would be ineffective.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFHyIkdsTedWZOD3gYRAi3PAKC/LaDXxIhsG7j6Ps5XlO0otZaXYACgp9Ty
IMVCcWhCf7tFQRJlarqD7Pk=
=ZLnE
-----END PGP SIGNATURE-----