> Yes, there are security ramifications. Are we really
> implementing Suite B if the application can leak info by
> sending out emails encrypted in Suite B (strong) and in 3DES
> to some 512 RSA key (not so strong)?
Going forward we need to re-establish what is considered
minimally secure.
I should have also have added that in our OpenPGP-ECC doc
we are pointing out equivalent strengths and further stating
that for Suite B compliance there are further restrictions.
I can see quite easily a PGP option checkbox or Gnupg flag
that says --strict-SuiteB-ECC. This could *refuse* to encrypt
to multiple keys using a smaller cipher.
We have the same situation today. There's no point me
changing my GnuPG source to allow me to generate a 7K
RSA encryption key, because unless all my correspondents
*also* use the same/equivalent/stronger lengths, then the
session key is at the mercy of the smallest public key size.