ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Proposed Patch to RFC4880bis to reserve two public key numbers

2016-07-07 06:21:57
Hi,

On Thu, July 7, 2016 5:23 am, Stephen Farrell wrote:
[snip]

I forget if this cfrg posting [1] on AE was made visible here
or not. Apologies if this is repetitive but that posting from
Kenny Paterson on 20151113 seems quite relevant as it says:

"
My colleague Simon Blackburn and his collaborators have just
published an attack on the Algebraic Eraser scheme, breaking the
scheme at the designers' claimed 128-bit security level. Their
attack recovers the shared key using 8 CPU hours and 64MB of
memory. Their paper is here:

   http://arxiv.org/abs/1511.03870

And there was a paper published in response to this:

http://arxiv.org/abs/1601.04780

With no hats, I'd be against adding an algorithm, even as an
option, if there are current serious questions about it's real
security level. I do get the arguments for and against, but in
such cases am against adding codepoints where there is no way
to flag the codepoint as "likely dangerous" or some other
similarly negative/scary warning. And while it's good to go to
the effort to deprecate old codepoints that are now likely
dangerous, I don't see that it's a good idea to add new ones
"born" in that state.

Note again that it's just reserving the number; it's completely
underspecified.

[snip]

Putting my AD hat back on: if the WG do reach consensus to
add such codepoints, then when it comes time to publish, I'll
be looking back to the list to ensure that consensus was very
clear on the list. For the AE ones, that's clearly happening
via this thread which is fine process-wise, assuming more folks
opine and the chairs declare consensus. I'm just noting that
so we ensure the same clarify if there are other similarly
contentious codepoint requests in order to avoid having to
revisit stuff at publication time.

Frankly, we are already using code point 23 in production. I grabbed that
point years ago when I wrote the original I-D and posted it here (in
coordination with Werner, who grabbed 22 for EdDSA), well before this WG
reopened.  I doubt there will be a large contingent looking to implement
it, which is fine.  But I'd like to make sure nobody else uses that code
point.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp