sorry, I once again did reply to sender rather than reply
to all - my reply was meant for everyone and not just
Len.
Hey, it's a *good* security habit to have! :)
---------- Forwarded message ----------
From: David Crick <dacrick(_at_)gmail(_dot_)com>
Date: Mar 4, 2008 5:15 PM
Subject: Re: ECC in OpenPGP proposal
To: Len Sassaman <rabbi(_at_)abditum(_dot_)com>
On 3/4/08, Len Sassaman <rabbi(_at_)abditum(_dot_)com> wrote:
On Sat, 1 Mar 2008, David Crick wrote:
>
> On 3/1/08, Daniel A. Nagy <nagydani(_at_)epointsystem(_dot_)org> wrote:
> > I think, Andrey makes a very important point here. The option
to use 3DES
> > symmetric encryption, SHA1 digest and ZLIB compression must
remain open until
> > a formal process of phasing them out is initiated, with a
clear road map.
> > Right now, excluding these algorithms would break
interoperability in a very
> > bad way, as described by Andrey.
>
> as someone said about alternative V5 key routes - let's absolutely
> make sure we break it!
That was more than one person, I think, but I was one of them.
thanks for clarifying this.
Breaking compatibility on the protocol level doesn't mean breaking it on
the actually application level. In a different thread, there as discussion
of people using "regular" DSA/EG keys and then adding a recipient who uses
ECC. So what? The application can encrypt twice, and send the properly
encrypted messages to the appropriate people.
I think I've also pointed this out (either that or I've thought it
but not explicitly said it!)
Backwards compatibility on the protocol level means forward compatibility
on protocol level attacks. Let's not do that, eh?
[Obviously we don't want to be breaking compatility all the time, but for
something as big as v5, that we've been talking about for almost a decade,
I think it's reasonable to both get it right, and cut the last decade+'s
legacy of cruft loose, and leave the application to support v4 and v5 if
the designer so desires. A lot of the things done in OpenPGP are, in
hindsight, missteps. Hindsight is cheap. Let's make use of it when it is
appropriate.]
I really would *ideally* like to see just one cipher suite, which I see
could see would be: SHA384-AES256-ECC384_DH_DSA.
This uses our largest respective algorithms while being Suite B
compliant. As Ian pointed out, we really are into new territory with
Suite B - PGP (2) used to say "military strength" when listing larger
key sizes; now we can legitimately say "TOP SECRET strength"!
[Yes, as an aside, I know that the latter would actually require
restricted key generations, physical security measures, tamper
evident seals, blah, blah, blah.]
I'm actually more concerned that web sites are still using 1024
bit (well, 1120 Bits it says for gmail for me) SSL public keys and
SHA1, rather than the fact that somebody might use 3DES as a
cipher when sending a message to my 521-bit ECC key.