Hi,
a few weeks ago I already mentioned that I would like to implement
Ed25519 in GnuPG. Meanwhile I did that but I am not sure whether we
really want this hack.
Ed25519 is based on Curve25519 but uses a different signature algorithm
than EdDSA. That algorithm avoids a lot of pitfalls using plain ECDSA.
The paper [1] explains this in detail. I implemented that by switching
to this algorithm for a certain OID. It does not look right to do so.
Thus I wonder whether we better assign a new id for EdDSA.
I have not yet seen the specs for Curve3617 but I assume that it uses a
similar scheme for signing. Thus Ed25519 and a signing algorithm for
Curve3617 may share the same algorithm id. Or well, for an even more
compact key format we could also directly assign an algorithm id for
Ed25519.
A separate algorithm id would also allow to use the compressed key
format instead of packing it into the 0x04 uncompressed format as
specified by rfc-6637.
A problem I see in writing an I-D is that there is no formal
specification of Ed25519, just the paper. I am not sure whether is
acceptable for an RFC. The next free algorithm id would be 22.
Shalom-Salam,
Werner
[1] See http://ed25519.cr.yp.to/
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp