ietf-openpgp
[Top] [All Lists]

ECC in OpenPGP proposal

2008-03-04 10:39:26

sorry, I once again did reply to sender rather than reply
to all - my reply was meant for everyone and not just
Len.

Hey, it's a *good* security habit to have! :)

---------- Forwarded message ----------
From: David Crick <dacrick(_at_)gmail(_dot_)com>
Date: Mar 4, 2008 5:15 PM
Subject: Re: ECC in OpenPGP proposal
To: Len Sassaman <rabbi(_at_)abditum(_dot_)com>


On 3/4/08, Len Sassaman <rabbi(_at_)abditum(_dot_)com> wrote:
On Sat, 1 Mar 2008, David Crick wrote:

 >
 > On 3/1/08, Daniel A. Nagy <nagydani(_at_)epointsystem(_dot_)org> wrote:
 > > I think, Andrey makes a very important point here. The option
to use 3DES
 > >  symmetric encryption, SHA1 digest and ZLIB compression must
remain open until
 > >  a formal process of phasing them out is initiated, with a
clear road map.
 > >  Right now, excluding these algorithms would break
interoperability in a very
 > >  bad way, as described by Andrey.
 >
 > as someone said about alternative V5 key routes - let's absolutely
 > make sure we break it!


That was more than one person, I think, but I was one of them.


thanks for clarifying this.



 Breaking compatibility on the protocol level doesn't mean breaking it on
 the actually application level. In a different thread, there as discussion
 of people using "regular" DSA/EG keys and then adding a recipient who uses
 ECC. So what? The application can encrypt twice, and send the properly
 encrypted messages to the appropriate people.


I think I've also pointed this out (either that or I've thought it
 but not explicitly said it!)


 Backwards compatibility on the protocol level means forward compatibility
 on protocol level attacks. Let's not do that, eh?

 [Obviously we don't want to be breaking compatility all the time, but for
 something as big as v5, that we've been talking about for almost a decade,
 I think it's reasonable to both get it right, and cut the last decade+'s
 legacy of cruft loose, and leave the application to support v4 and v5 if
 the designer so desires. A lot of the things done in OpenPGP are, in
 hindsight, missteps. Hindsight is cheap. Let's make use of it when it is
 appropriate.]


I really would *ideally* like to see just one cipher suite, which I see
 could see would be: SHA384-AES256-ECC384_DH_DSA.

 This uses our largest respective algorithms while being Suite B
 compliant.  As Ian pointed out, we really are into new territory with
 Suite B - PGP (2) used to say "military strength" when listing larger
 key sizes; now we can legitimately say "TOP SECRET strength"!

 [Yes, as an aside, I know that the latter would actually require
 restricted key generations, physical security measures, tamper
 evident seals, blah, blah, blah.]


 I'm actually more concerned that web sites are still using 1024
 bit (well, 1120 Bits it says for gmail for me) SSL public keys and
 SHA1, rather than the fact that somebody might use 3DES as a
 cipher when sending a message to my 521-bit ECC key.

<Prev in Thread] Current Thread [Next in Thread>