On Sun, May 4, 2008 at 5:13 PM, David Shaw <dshaw(_at_)jabberwocky(_dot_)com>
wrote:
On Sat, May 03, 2008 at 02:11:07PM -0700, Andrey Jivsov wrote:
> ===================================================================
> C. Higher layers of application will govern compliance
> with Suite B. "ECC in OpenPGP" document will define
> reasonable superset of features required for Suite-B
> or similar government documents, but exact
> specification of the policies to use ECC in OpenPGP
> is out of scope.
> ===================================================================
I vote for C. Keep the policies out of the standard and leave it up
to the implementers. I'm not against having policies specified, but
I'd rather see them in a different document for use by those people
who need them. There is precedence here: OpenPGP specifies DSA and
not DSS.
David
4880 13.6 starts with:
13.6. DSA
An implementation SHOULD NOT implement DSA keys of size less than
1024 bits. It MUST NOT implement a DSA key with a q size of less
than 160 bits. DSA keys MUST also be a multiple of 64 bits, and the
q size MUST be a multiple of 8 bits.
and ends with:
Note that earlier versions of this standard only allowed a 160-bit q
with no truncation allowed, so earlier implementations may not be
able to handle signatures with a different q size or a truncated
hash.
which I would say would be "on using DSA in OpenPGP." But then in
the middle of those two bits has all of this:
The Digital Signature Standard (DSS) [FIPS186] specifies that DSA be
used in one of the following ways:
* 1024-bit key, 160-bit q, SHA-1, SHA-224, SHA-256, SHA-384, or
SHA-512 hash
* 2048-bit key, 224-bit q, SHA-224, SHA-256, SHA-384, or SHA-512
hash
* 2048-bit key, 256-bit q, SHA-256, SHA-384, or SHA-512 hash
* 3072-bit key, 256-bit q, SHA-256, SHA-384, or SHA-512 hash
The above key and q size pairs were chosen to best balance the
strength of the key with the strength of the hash. Implementations
SHOULD use one of the above key and q size pairs when generating DSA
keys. If DSS compliance is desired, one of the specified SHA hashes
must be used as well. [FIPS186] is the ultimate authority on DSS,
and should be consulted for all questions of DSS compliance.
which by your argument "shouldn't be in" OpenPGP.
We've got the same thing with Suite-B, only the fact that it's not just
a case of Suite-B being a restricted subset of OpenPGP ECC (as DSS is
of 4880), but that there's a conflict between the 4880 spec and Suite-B
(i.e. (at least) the issue of 3DES).