On Jun 27, 2016, at 9:45 AM, Kristian Fiskerstrand
<kristian(_dot_)fiskerstrand(_at_)sumptuouscapital(_dot_)com> wrote:
There seems to be a lot of doubt about the security of Algebraic Eraser
protocols (at least controversy) and little research compared to other
key exchange methods, without much gain from implementing it. What
would be the rationale for adding it?
Let me give two answers -- one a crypto answer and the other a standards answer.
Crypto-wise, Algebraic Eraser is a bit out there, but the issues with it are
far more issues with the ways it can be used badly than fundamental ways it is
horrible. Every major crypto mechanism we have, particularly public-key ones,
has major failure modes -- encoding and padding, parameter selection, and many
of those are nuanced as well. (Like using an RSA exponent of 3, which you can
do either wrong or right.) It is outre in some ways, but it's also fascinating
and useful.
Standards-wise, to quote Jeff Schiller from long ago, the purpose of a standard
is interoperability. A standard exists so that you know what an object *means*,
so you can quickly accept things you like and reject things you don't like.
Ironically, if you don't like Algebraic Eraser, you *want* it to get an
identifier so you can quickly reject its use in an implementation.
Yes, on the one hand, you don't want your standard to be cluttered, but on the
other hand you want to encourage its use. You can give pejorative terms to
either side of it, but I think it's worse for a standard to be
overly-restrictive than overly-inclusive.
Traditionally in OpenPGP, we've gone towards being inclusive because we didn't
want people to either (1) just grab an identifier in the experimental/private
region or out in IANA space or (2) go use some other standard where all they
need is an OID.
We've put in identifiers for controversial hash functions, Elgamal signatures,
X9.42 DH, symmetric crypto, and in many cases gone and removed them later. Look
at the differences between section 9 of 2440 and section 9 of 4880. It's an
interesting commentary on where thought was in 1998 and 2007.
Moreover, we survived! Nothing bad happened. We learned that OpenPGP is
amazingly resilient to the downsides of being inclusive. The worst issue we had
to deal with was Elgamal signatures -- controversial from the start, tetchy to
use, and there were flawed implementations. But it ended up being retired
because its proponents moved on.
There is little risk to giving Derek what he wants. It's just an identifier. In
fact, the biggest risk in my opinion is that we tell him no, he goes off and is
successful using X.509.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp