On 24/03/2015 16:46 pm, Phillip Hallam-Baker wrote:
* Maintaining algorithm registries takes time and effort
* Modern best practice for algorithms rejects the idea that more algorithms is
'better'.
* The security of the system is determined by the weakest algorithm an
attacker can persuade you to use,
* One Mandatory to implement plus a reserve is generally emerging as best
I would say One+One is emerging as a centrist compromise. On the left,
there are the pluralists, and on the right, there are OneTrueBelievers.
Personally, I think the numbers are balanced between the right and the
center, with the left (many) now a clear minority party. Or at least,
that's what a straw poll showed about 6 months back.
* Support for vanity crypto is an unfortunate necessity.
That ... is an argument I'd love to see fleshed out.
* ASN.1 OIDs are kind of obnoxious
* Suites don't work
* Most OpenPGP folk would like to use short identifiers
For many years I have wanted a way to move discussion of vanity crypto out of
the IETF, etc. If we touch a spec, the vendor can pretend that we endorse it.
So what I propose is a two level scheme:
Mandatory and Recommended algorithms are registered in a short identifier
registry.
For everything else there is a reserved 'escape code' that states the algorithm
is specified by OID.
OIDs do get a little large sometimes. But they do have the advantage that
nobody can claim that they have IETF endorsement. That is not true of any
scheme we could devise ourselves.
This approach means that there is a real difference between being one of the
supported algorithms and the recommended algorithm.
Assuming your premises, this is a good proposal.
iang
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp