Re: ECC in OpenPGP proposal, second revision

Andrey Jivsov wrote:
> > I think section 12 also needs to explicitly deprecate AES-192, saying
> > that it's not necessarily going to be fielded widely (bring in the fact
> > that it is only a MAY here might help), isn't one of the Suite B ciphers,
> > and that it's probably only suitable if for some reason you *really*
> > need a 192-bit cipher: otherwise go for AES256 for security or -128
> > for performance.
> I hope that we find a consensus in not explicitly promoting AES-192 
> instead. There are many reasons why mobile/weak hardware devices may 
> wish the middle-of-the-road approach with AES-192/ECC-384.

I agree with David, I personally have yet to see a valid 
engineering reason why one would use AES-192.
Jon has laid out some non-engineering reasons why it should 
be there, and that's a difficult area for us to argue 
against (maybe something Jon and I agree violently over). 
So I guess we are agreed that it should be possible to do 
AES-192 ... but that doesn't mean we should encourage it at all.
AES-128+friends gives a whole lot of security, and that is 
probably enough for most if not every mobile application.
You want more than 128?  Go for the top profile (or go find 
a machine with the top profile).  If your attacker can 
crunch AES-128+friends then we can't possibly recommend 
AES-192 because we just don't know what your attacker is up to.
I like David's skepticism in words, above.  RFC consumers 
who fancy something "a bit better than 128" should be 
discouraged, or understand that they are creating problems, 
they'd better be prepared for the consequences, and the 
community isn't working for them any more.  Deprecated is a 
good scary word.

> If we were to discourage AES-192, we will need convincing references to 
> data that support and explain our choice.

I see no sweet spot in that data, so I read it as supporting 
the lack of value in AES-192.

iang