On Wednesday, November 4, 2015 at 3:16 AM, Werner Koch wrote:
To: Nils Durner <ndurner(_at_)googlemail(_dot_)com>
Cc: openpgp(_at_)ietf(_dot_)org
Subject: Re: [openpgp] Regulation of algo deprecation
On Tue, 3 Nov 2015 23:14, ndurner(_at_)googlemail(_dot_)com said:
only Brainpool curves could be used: I don't see why. The 2014 version
of aforementioned catalog[0], as well as the 2015 draft (dated
28.10.2014), merely recommend Brainpool, but don't require it. For the
That is just one catalog but there are others. For the German VS-NfD
(restricted
level) other rules apply. And the Russians have a different catalog, as
do the
Japanese, and the Koreans, ...
This was my general thought when I read Nils' e-mail advocating using
regulation as guidance for deprecation. I'm surprised he wasn't flooded
with responses. I don't like this for two main reasons:
1. As Werner alludes to, we'd have to research the regulations of many
different countries. And which countries are we talking about?... do we
have to come to agreement that we follow the guidelines/catalogs of only a
subset of countries? This all seems very problematic.
2. If we're just going to rubber-stamp what Germany's Bundesnetzagentur,
USA's NSA/NIST, and others are recommending, then what's the point of *us*
going through the exercise of figuring out which algorithms that we
recommend or require to be deprecated?
Perhaps I'm taking Nil's use of the word "guidance" too strongly. My view
is that our value as an IETF workgroup comes from an objective view of the
current state, where we judge the security of cryptographic algorithms based
on their technical and operational merits, unbiased by the view of any
governments or their standards bodies.
Regards,
Stan Borinski
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp