ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] First 4880bis drafts

2015-11-05 13:31:07
from [Ian G] [Permanent Link] 
On 05/11/2015 01:30, brian m. carlson wrote:

On Wed, Nov 04, 2015 at 06:34:33PM +0100, Aaron Zauner wrote:

* Werner Koch <wk(_at_)gnupg(_dot_)org> [04/11/2015 12:51:25] wrote:

    o  Added Camellia cipher from RFC 5581.

Hrm. I'm against this.


++1++



CAMELLIA is going to be deprecated in e.g.
TLS because barely anyone uses it. I'm explicitly excluding anything
other than AES128 or 256 from my GnuPG config currently, I haven't
noticed any breakage in almost a year:
https://github.com/azet/dotfiles/blob/master/.gnupg/gpg.conf

As Werner pointed out, Camellia has been around for some time.
Whatever - let implementations provide Camellia if they want to; they will to handle archives and so forth. 

The *standard* should do better, work for the benefit of all.

The standard should have an aggressive role in deprecation.


It's
also good to have enough diversity that if someone comes out with a
major attack against AES, we're not totally sunk.
This is hypothetical. It's never happened in our time. Our cryptographers are better than that, let's rely on them. 


Camellia is a Feistel
cipher, while AES is a substitution-permutation network, which means
that attacks are unlikely to work against both.
Sorry - can we worry about realistic user problems not hypothetical academic issues? 



Currently, if AES were to be broken, TLS implementations would not
interoperate at a 128-bit or higher security level.  OpenPGP would
continue to function without much thought, which is a major asset.
? AES isn't going to be broken. Software is going to be buggy - let's reduce complexity. Protocols might be flawed, let's make it simpler. But AES broken? No. Get realistic. 



I'm for deprecating algorithms which provide less than a 128-bit
security level, such as SHA-1 and 3DES.



It is the case that we face a threat around the 80 bit mark.  Sure.
So, I'd suspect we're going to set a mark for future OpenPGP at the 256 bit level. This would have been a no-brainer until recent NSA Suite B news. Does anyone have a feeling for where we'd like to draw the line now? 

iang

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] First 4880bis drafts, Robert J. Hansen
Next by Date:  Re: [openpgp] First 4880bis drafts, Aaron Zauner
Previous by Thread:  Re: [openpgp] First 4880bis drafts, Aaron Zauner
Next by Thread:  [openpgp] Keyholder-configurable fingerprint schemes?, Bryan Ford
Indexes:  [Date] [Thread] [Top] [All Lists]