On Wed, Nov 04, 2015 at 06:34:33PM +0100, Aaron Zauner wrote:
* Werner Koch <wk(_at_)gnupg(_dot_)org> [04/11/2015 12:51:25] wrote:
o Added Camellia cipher from RFC 5581.
Hrm. I'm against this. CAMELLIA is going to be deprecated in e.g.
TLS because barely anyone uses it. I'm explicitly excluding anything
other than AES128 or 256 from my GnuPG config currently, I haven't
noticed any breakage in almost a year:
https://github.com/azet/dotfiles/blob/master/.gnupg/gpg.conf
As Werner pointed out, Camellia has been around for some time. It's
also good to have enough diversity that if someone comes out with a
major attack against AES, we're not totally sunk. Camellia is a Feistel
cipher, while AES is a substitution-permutation network, which means
that attacks are unlikely to work against both.
Currently, if AES were to be broken, TLS implementations would not
interoperate at a 128-bit or higher security level. OpenPGP would
continue to function without much thought, which is a major asset.
I'm for deprecating algorithms which provide less than a 128-bit
security level, such as SHA-1 and 3DES.
The ECC addition makes sense, but I'd also limit the number of
possible curves to a few vetted ones instead of verbatim including
all those NIST curves. For example: do we want to keep P256? Or are
we going with a higher 'security level' alltogether? I consider this
cruft that should be removed. Why not just use Curve25519 and
Goldilocks?
I believe Google's End-to-End is using the NIST curves, and there are
already keys using these curves. I think Curve25519 and Goldilocks
would be valuable due to their rigidity and the CFRG endorsement.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp