On Fri, 14 Mar 2014 19:00, dkg(_at_)fifthhorseman(_dot_)net said:
Do you think that saying "ring signatures are limited to these
new-fangled keys" would make the arguments for deniability stronger?
No.
So perhaps some guidance is suggested, along the lines of "Due to the
novelty of this scheme within OpenPGP as of this writing, making a ring
signature over multiple ECC keys offers more plausible deniability than
a ring signature covering an ECC key and any other form of public key"
Well, by only allowing only the use of ECC keys, we would do the same
without having to write this down.
Is there another argument for constraining ring signatures to ECC keys,
though? for example, arguments by implementation simplicity,
Implementation simplicity is always a valid argument. To take this further I
would even suggest to make the use of EdDSA a MUST and and all other
algos a MAY.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp