ianG <iang(_at_)iang(_dot_)org> writes:
f) standardize the two new curves coming out of the CFRG: 25519 and
curve448 ("goldilocks") for both signatures and encryption (Werner
has already started this process for 25519 signatures)
Why two curves? Is this just the algorithm agility discussion or is
there an actual difference between them? Why not just use the
stronger one and be done with it?
(Not wishing to start the algorithm agility debate, I'm sure
everyone's familiar with the basics there, just wondering if there is
any other motivation.)
Speed/Security tradeoff. The two curves appear to be Curve25519 and
then Goldilocks-448. The former is significantly faster than the
latter, so there is a desire for two curves to allow the speed/security
tradeoff.
l) change MTI algorithms: SHA512, the two new ECs, and the new AEAD
mechanism should be the baseline.
No RSA? Is there consensus amongst devs that enough of us aren't
going to implement RSA anyway? We're ready to make a clean break, and
actually mitigate against it?
Just because RSA isn't MTI algorithm doesn't mean that it WONT get
implemented. AES isn't MTI and most implementations seem to support it
today.
There's is a relatively small difference between MUST and SHOULD, a
larger difference between SHOULD and MAY, and a large canyon between MAY
and *NOT.
I believe the suggestions here are MUST v SHOULD.
(I'm happy to join the witch-burning party, but it's had such long
legs, it saw off the DSA challenger even tho many tried to kill it.)
iang
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp