On Thu, May 28, 2015 at 2:26 PM, Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
wrote:
On 28/05/15 18:20, Werner Koch wrote:
I assumed that ECC will at least be a SHOULD algorithm and thus merging
6637 seems to be appropriate.
I'd say most folks here are aware of it but just in case...
It'd be good if the WG(-to-be) considered if they want to
incorporate the work on new curves being done by CFRG. That
might mean waiting a little longer as CFRG aren't done at
that although they seem to be making good progress now.
Wearing no hats, I think it'd be good to include the new
curves in this work.
Exactly what I was about to say.
I don't actually care very much which ECC we do. What I care about is that
instead of having fifty different variations and curlicues we have one high
strength and one ridiculously high strength approach. And I want to use
that same approach for S/MIME, TLS, SSH and OpenPGP.
This provides many benefits. First off, it means that instead of tracking
five separate sets of implementation experience, we have one. If someone
comes up with a TLS attack we can look at OpenPGP and see if the same sort
of thing might apply. TLS is going to get orders of magnitude more
implementation experience than anything else so chances are we will have a
solid implementation there long before we could gain experience on any
other application.
Another reason for the change is that then 'support for CFRG ECC' becomes
shorthand for 'support for crypto vNext'. Checking protocol version numbers
is quite tricky. Checking to see if they do an algorithm, much easier.
Problem is that security comes from removing features that seemed like a
good idea at the time. But that doesn't appear in marketing collateral.
Support for new algorithms does.
And finally, biggest problem with ECC has been that it is just too much new
complexity for too little reward many of us. When I see crypto with a
bazillion options, I see 'needs further work'. One of the main reasons RSA
is so dominant is that there is one algorithm and the way to implement it
has changed only three times in twenty years.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp