ietf-openpgp
[Top] [All Lists]

Re: ECC in OpenPGP proposal, second revision

2008-03-17 08:45:37

Andrey Jivsov wrote:
I think section 12 also needs to explicitly deprecate AES-192, saying
that it's not necessarily going to be fielded widely (bring in the fact
that it is only a MAY here might help), isn't one of the Suite B ciphers,
and that it's probably only suitable if for some reason you *really*
need a 192-bit cipher: otherwise go for AES256 for security or -128
for performance.

I hope that we find a consensus in not explicitly promoting AES-192 instead. There are many reasons why mobile/weak hardware devices may wish the middle-of-the-road approach with AES-192/ECC-384.


I agree with David, I personally have yet to see a valid engineering reason why one would use AES-192.

Jon has laid out some non-engineering reasons why it should be there, and that's a difficult area for us to argue against (maybe something Jon and I agree violently over). So I guess we are agreed that it should be possible to do AES-192 ... but that doesn't mean we should encourage it at all.

AES-128+friends gives a whole lot of security, and that is probably enough for most if not every mobile application.

You want more than 128? Go for the top profile (or go find a machine with the top profile). If your attacker can crunch AES-128+friends then we can't possibly recommend AES-192 because we just don't know what your attacker is up to.

I like David's skepticism in words, above. RFC consumers who fancy something "a bit better than 128" should be discouraged, or understand that they are creating problems, they'd better be prepared for the consequences, and the community isn't working for them any more. Deprecated is a good scary word.


If we were to discourage AES-192, we will need convincing references to data that support and explain our choice.


I see no sweet spot in that data, so I read it as supporting the lack of value in AES-192.


iang